Citrix is once again grappling with serious security vulnerabilities in its NetScaler ADC and Gateway appliances. The three new vulnerabilities, designated CVE-2025-5349, CVE-2025-5777 and CVE-2025-6543, score high on the CVSS scale (8.7 to 9.3), qualifying them as critical. And although the vendor quickly released patches, the situation is reminiscent of the events of 2023, when a zero-day vulnerability led to massive attacks on Citrix users.
In the latest case, there are vulnerabilities related to memory leaks from VPN servers, as well as a classic buffer overflow. Particularly dangerous appears to be the CVE-2025-6543 vulnerability, which, according to Citrix, is already being actively exploited and can lead to the complete disabling of devices.
The manufacturer’s recommendations are clear: customers using older versions (e.g. 14.1 < 14.1-43.56, 13.1 < 13.1-58.32) should upgrade as soon as possible. In addition, for the full effectiveness of the patch for the first two vulnerabilities, it is recommended to break active VPN sessions – which is reminiscent of the 'Citrix Bleed' experience, when patching the system alone was not enough to stop attacks.
Although Citrix now operates faster and more transparently than it did two years ago, the new incidents are causing legitimate concern among administrators. In 2023, the zero-day vulnerability was still being exploited long after the patch was released, and many organisations were not fully aware of the threat. This time, the vendor warns that one of the bugs is already being exploited, which should be a wake-up call.
Scale of the problem not yet known
For now, there is no data to assess the scale of the potential compromise, but given that NetScaler is a widely used product in financial institutions, government and large companies – the threat should be taken seriously. It is also hard not to notice that out-of-bounds read and buffer overflow vulnerabilities are classic attack vectors for gaining access to sensitive data and even taking control of a device.
For Citrix, this is another test of trust. In an era of increasingly sophisticated attacks, VPN infrastructure manufacturers cannot afford a repeat of the past. All the more so as the competition is not sleeping and the security sector has gained new strategic importance in the age of widespread digitalisation.
Lessons learned? If you learn from your mistakes, good – if you learn from your own, costly. Citrix has a chance today to show that it has learned its lessons from ‘Bleed 1.0’. Users should take care not to repeat their own.
