DIVD-2025-00031 - Critical vulnerabilities in Citrix ADC and Gateway systems

Our reference DIVD-2025-00031
Case lead Davy Aarts
Author Victor Pasman
Researcher(s)
CVE(s)
Products
  • Citrix ADC (NetScaler ADC)
  • Citrix Gateway (NetScaler Gateway)
Versions
  • NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.46
  • NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.19
  • NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.236-FIPS and NDcPP
Recommendation Update your system to the latest patched version
Patch status Fully patched
Status Open
Last modified 11 Jul 2025 11:34 CEST

Summary

On 18 June 2025 and 25 June 2025, Citrix released patches for vulnerabilities in Citrix ADC (formerly NetScaler ADC) and Citrix Gateway (formerly NetScaler Gateway) appliances. These vulnerabilities affect systems configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server and may lead to memory overreads (CVE-2025-5777) or memory overflow with unintended control flow and Denial of Service (CVE-2025-6543).

Exploitation of unpatched appliances has been observed.

What you can do

To remediate CVE-2025-5777 and CVE-2025-6543, apply the patch as soon as possible for impacted products. Latest patch builds are available via Citrix Support.

For impacted 13.1-FIPS and 13.1-NDcPP builds, customers should contact Citrix support to obtain the necessary versions.

What we are doing

DIVD is currently scanning for vulnerable Citrix ADC and Gateway appliances and notifying affected parties.

Timeline

Date Description
18 Jun 2025 Citrix releases a security bulletin for CVE-2025-5777 and CVE-2025-5349
24 Jun 2025 DIVD started scanning for vulnerable servers
25 Jun 2025 Citrix releases a security bulletin for CVE-2025-6543
26 Jun 2025 First version of this case file
26 Jun 2025 DIVD sent out a first batch of notifications.
10 Jul 2025 DIVD started scanning for second time for vulnerable servers
11 Jul 2025 DIVD sent out a second batch of notifications.
gantt title DIVD-2025-00031 - Critical vulnerabilities in Citrix ADC and Gateway systems dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2025-00031 - Critical vulnerabilities in Citrix ADC and Gateway systems (still open) :2025-06-18, 2025-07-22 section Events Citrix releases a security bulletin for CVE-2025-5777 and CVE-2025-5349 : milestone, 2025-06-18, 0d DIVD started scanning for vulnerable servers : milestone, 2025-06-24, 0d Citrix releases a security bulletin for CVE-2025-6543 : milestone, 2025-06-25, 0d First version of this case file : milestone, 2025-06-26, 0d DIVD sent out a first batch of notifications. : milestone, 2025-06-26, 0d DIVD started scanning for second time for vulnerable servers : milestone, 2025-07-10, 0d DIVD sent out a second batch of notifications. : milestone, 2025-07-11, 0d

More information