The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) catalog, confirming the vulnerability has been exploited in the wild. The flaw, CVE-2025-5777, is an instance of insufficient input validation that can bypass authentication.
CISA warns that this vulnerability, known as Citrix Bleed 2, poses significant risk to federal enterprises and frequent attack vectors for malicious cyber actors. Federal agencies must implement mitigations by July 11, including upgrading to patched builds listed in Citrix’s June 17 advisory.
Security researchers have reported exploitation efforts originating from unique malicious IP addresses located in Bulgaria, the US, China, Egypt, and Finland, targeting environments with vulnerable GeoServer installations, including those of Windows and Linux. The addition comes as another flaw in the same product (CVE-2025-6543) has also come under active exploitation.
To mitigate this flaw, organizations should immediately upgrade to patched builds and forcibly terminate all active sessions, especially those authenticated via AAA or Gateway. They should also inspect logs for suspicious requests and review responses for unexpected XML data.
Source: https://thehackernews.com/2025/07/cisa-adds-citrix-netscaler-cve-2025.html