Over 7,000 Citrix NetScaler appliances remain unpatched against two critical vulnerabilities: CVE-2025-5777 and CVE-2025-6543. 

Despite multiple advisories from Citrix, CISA’s KEV catalog entries, and updates from national cybersecurity agencies—including the Dutch NCSC—threat actors continue to target unmitigated devices at scale.

Key Takeaways1. Over 7,000 Citrix NetScaler appliances remain unpatched for CVE-2025-5777 (3,312) and CVE-2025-6543.2. Active zero-day exploitation has been confirmed.3. Immediate upgrades to fixed builds are essential.

Widespread Exposure and Real-World Exploitation

Shadowserver Foundation telemetry reveals 3,312 unique NetScaler IPs still exposed to CVE-2025-5777 (“Insufficient input validation leading to memory overread”) and 4,142 to CVE-2025-6543 (“Memory overflow resulting in unintended control flow and potential Denial of Service”). 

IPs Exposed

Both vulnerabilities carry CVSS v4.0 base scores above 9.0, classifying them as Critical and capable of full system compromise without authentication.

Proof-of-Concept (PoC) exploits for CVE-2025-5777 manipulate the VPN virtual server or AAA virtual server HTTP handlers to trigger an out-of-bounds read (CWE-125), allowing remote code execution. 

Meanwhile, CVE-2025-6543 leverages a buffer overflow (CWE-119) in RDP Proxy modules under high-load conditions to hijack execution and deploy web shells. 

Automated scanning campaigns have already detected large-scale probe attempts, with sensor logs confirming successful payload delivery in live environments.

Citrix issued Security Bulletins for CVE-2025-5777 and CVE-2025-6543 in June and July 2025, respectively. Affected versions include:

ADC & Gateway 14.1 before 14.1-43.56 (5777) and before 14.1-47.46 (6543)

ADC & Gateway 13.1 before 13.1-58.32 (5777) and before 13.1-59.19 (6543)

13.1-FIPS / NDcPP builds prior to 13.1-37.235 (5777) and 13.1-37.236 (6543)

12.1-FIPS for CVE-2025-5777 (and also vulnerable to 6543 under hybrid deployments)

Vulnerable Location

Mitigation Guidelines

Cloud Software Group strongly urges an immediate upgrade to the fixed releases and recommends executing post-patch cleanup commands to terminate lingering sessions:

These steps align with CISA’s KEV guidance and the Dutch NCSC’s defense-in-depth recommendations, which emphasize network segmentation, continuous monitoring, and forensic readiness.

Patching alone does not guarantee the eradication of advanced persistent threats. Organizations should:

Validate IOCs: Cross-reference IDS/IPS and SIEM logs for web-shell signatures and anomalous HTTP/HTTPS traffic patterns.

Harden Configurations: Enforce least-privilege access on the NetScaler Management Interface (NSIP) and segregate administrative VLANs.

Implement Defense-in-Depth: Combine network ACLs, WAF rules, and endpoint EDR to detect exploitation attempts and lateral movement.

Conduct Regular Audits: Perform vulnerability scans, penetration tests, and patch audits monthly.

With 7,000+ Citrix NetScaler devices still vulnerable to CVE-2025-5777 and CVE-2025-6543, security teams must escalate remediation efforts immediately. 

Failure to act swiftly risks further compromise, data exfiltration, and service outages. Continuous collaboration between vendors, CERTs, and cybersecurity communities is essential to safeguard critical application delivery infrastructure moving forward.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.