What is Citrix NetScaler ADC and Gateway?
Citrix NetScaler ADC and NetScaler Gateway are enterprise networking appliances deployed at organizational perimeters for load balancing, SSL offloading, and remote access VPN. See CVE-2025-7775 and CVE-2025-6543 for the broader context on NetScaler vulnerabilities in 2025.
Overview
CVE-2025-5777 is a pre-authentication out-of-bounds read vulnerability (CWE-125) in Citrix NetScaler ADC and Gateway. Unauthenticated remote attackers can read memory from the appliance beyond an allocated buffer, potentially exposing session tokens, credentials, and encryption keys cached in memory. CISA issued a 1-day emergency deadline (added July 10, deadline July 11) — reflecting critical active ransomware exploitation. The vulnerability requires Gateway or AAA virtual server configuration and was patched in the same advisory (CTX693420) as CVE-2025-6543.
Affected Versions
| Branch | Vulnerable | Fixed |
|---|---|---|
| NetScaler ADC/Gateway 14.1 | < 14.1-47.46 | 14.1-47.46 |
| NetScaler ADC/Gateway 13.1 | < 13.1-59.19 | 13.1-59.19 |
| NetScaler ADC 13.1-FIPS | < 13.1-37.236 | 13.1-37.236 |
Configuration requirement: Only when configured as Gateway (VPN vserver, ICA Proxy, CVPN, RDP Proxy) or AAA vserver.
Technical Details
The out-of-bounds read (CWE-125) occurs in the Gateway/AAA processing path when handling unauthenticated HTTP requests. Insufficient input validation allows a crafted request to cause the processing code to read beyond the end of an allocated buffer, returning adjacent heap memory to the attacker.
Memory disclosure impact: NetScaler's memory may contain active SSL session tokens, cached LDAP/RADIUS authentication credentials, encryption keys for TLS sessions, and other sensitive cryptographic material. An attacker who reads active session tokens can impersonate authenticated VPN sessions without valid credentials.
This vulnerability is distinct from CVE-2025-6543 (buffer overflow, DoS/RCE) and CVE-2025-7775 (memory overflow, RCE) — CVE-2025-5777 is a read-only memory disclosure, not an RCE, but the data it exposes can enable authentication bypass.
Exploitation Context
The 1-day CISA deadline reflects confirmed active ransomware exploitation. Ransomware groups used session token theft to bypass VPN authentication and access internal networks. ransomwareUse: true is confirmed. CISA's one-day deadline was one of the shortest ever issued under BOD 22-01.
Remediation
- Patch immediately: NetScaler 14.1-47.46+, 13.1-59.19+, 13.1-37.236-FIPS+. The deadline was July 11, 2025.
- Force re-authentication of all active VPN sessions post-patch to invalidate potentially disclosed tokens.
- Review Gateway logs for sessions from unusual source IPs authenticated with valid tokens — a sign of token theft.
- Apply the companion patch for CVE-2025-6543 from the same advisory CTX693420.
- Restrict internet access to the Gateway vserver where your access model allows it.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-5777 |
| Vendor / Product | Citrix — NetScaler ADC and Gateway |
| NVD Published | 2025-06-17 |
| NVD Last Modified | 2025-10-30 |
| CVSS 3.1 Score | 7.5 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Severity | HIGH |
| CWE | CWE-125 find similar ↗ |
| CISA KEV Added | 2025-07-10 |
| CISA KEV Deadline | 2025-07-11 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-06-17 | CVE published; Citrix releases patches CTX693420 |
| 2025-07-10 | Added to CISA Known Exploited Vulnerabilities catalog with 1-day emergency deadline |
| 2025-07-11 | CISA BOD 22-01 emergency remediation deadline |
References
| Resource | Type |
|---|---|
| Citrix Security Advisory CTX693420 | Vendor Advisory |
| NVD — CVE-2025-5777 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |