June 26, 2025 by Anil Shetty netscaler.com
Over the past two weeks, Cloud Software Group has released builds to address CVE-2025-6543 and CVE 2025-5777, which affect NetScaler ADC and NetScaler Gateway if they are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR an Authentication Authorization and Auditing (“AAA”) virtual server. While both of the vulnerabilities involve the same modules, the exposures differ. CVE 2025-6543, if exploited, could lead to a memory overflow vulnerability, resulting in unintended control flow and Denial of Service. CVE 2025-5777 arises from insufficient input validation that leads to memory overread.
Some commentators have drawn comparisons between CVE 2025-5777 and CVE 2023-4966. While the vulnerabilities share some characteristics, Cloud Software Group has found no evidence to indicate that they are related.
The description of the vulnerability on the NIST website for CVE-2025-5777 initially erroneously identified NetScaler Management Interface as implicated in the vulnerability, but they subsequently updated the description to exclude it. The most accurate description of CVE 2025-5777 can be found in the Citrix security bulletin published on June 17, 2025.
Through our internal review process and by collaborating with customers, we identified the affected NetScaler ADC and NetScaler Gateway builds. CVE 2025-5777 only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates. Please refer to the security bulletin for more details.
Citrix has signed CISA’s Secure by Design pledge, reinforcing our commitment to building security into every stage of the product lifecycle. As part of this pledge, we prioritize security by default, transparency, and accountability in how we manage vulnerabilities. Our Product Security Incident Response Team (PSIRT) follows industry standards to assess, address, and disclose vulnerabilities responsibly. We work closely with security researchers, government agencies and customers to ensure timely fixes and clear communication. Learn more about our responsible disclosure process at Citrix Vulnerability Response.
Additionally, there’s an issue related to authentication that you may observe after upgrading NetScaler to build 14.1 47.46 or 13.1 59.19. This can manifest as a “broken” login page, especially when using authentication methods like DUO configurations based on Radius authentication, SAML, or any Identity Provider (IDP) that relies on custom scripts. This behavior can be attributed to the Content Security Policy (CSP) header being enabled by default in this NetScaler build, especially when CSP was not enabled prior to the upgrade. For more information on this issue please refer to the KB article.
Severity - Critical
Description of Problem
A vulnerability has been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details.
Affected Versions
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS
Details
NetScaler ADC and NetScaler Gateway contain the vulnerabilities mentioned below:
CVE ID Description Pre-conditions CWE CVSSv4
CVE-2025-5349 Improper access control on the NetScaler Management Interface Access to NSIP, Cluster Management IP or local GSLB Site IP CWE-284: Improper Access Control
CVSS v4.0 Base Score: 8.7
(CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)
CVE-2025-5777 Insufficient input validation leading to memory overread NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server CWE-125: Out-of-bounds Read
CVSS v4.0 Base Score: 9.3
(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)
Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme.
CISA and the FBI said attackers deploying Ghost ransomware have breached victims from multiple industry sectors across over 70 countries, including critical infrastructure organizations.
#CISA #Computer #Cring #Critical #FBI #Ghost #InfoSec #Infrastructure #Ransomware #Security
On 18 November 2024, Palo Alto Networks issued a security advisory for an authentication bypass vulnerability in the PAN-OS management web interface. The vulnerability is tracked under CVE-2024-0012 [1] and has a CVSS score for this is 9.3 [2]. The vulnerability allows an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges. As the Northwave CERT has already observed mass exploitation by multiple threat actors, we urge all recipients to implement mitigation measures and patch their systems.
I found a zero-click vulnerability in macOS Calendar, which allows an attacker to add or delete arbitrary files inside the Calendar sandbox environment. This could lead to many bad things including malicious code execution which can be combined with security protection evasion with Photos to compromise users’ sensitive Photos iCloud Photos data. Apple has fixed all of the vulnerabilities between October 2022 and September 2023.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455.
The U.S. Treasury Department has sanctioned a Wuhan-based company used by the Chinese Ministry of State Security (MSS) as cover in attacks against U.S. critical infrastructure organizations.
#APT31 #China #Computer #Critical #InfoSec #Infrastructure #Sanctions #Security #USA