CitrixBleed 2.0? A Deep Dive into CVE-2025-6543 and CVE-2025-5777

In late June 2025, Citrix issued critical patches for two high-impact vulnerabilities affecting its NetScaler ADC and Gateway appliances. These vulnerabilities—CVE-2025-6543 and CVE-2025-5777—are particularly dangerous not only because they impact widely deployed infrastructure, but also because one is already being actively exploited in the wild.

Both flaws affect systems running in Gateway or AAA virtual server mode, making remote-access and VPN-heavy environments especially vulnerable. Security researchers have quickly drawn parallels to last year’s CitrixBleed vulnerability, and with good reason: these issues can cause service outages, memory corruption, and unauthorized access to session tokens.

How These Vulnerabilities Work

CVE-2025-6543: Gateway Memory Overflow

This vulnerability stems from a heap overflow condition in NetScaler's nsppe process. When the appliance is configured as a Gateway or AAA virtual server, it exposes an endpoint that mishandles user-supplied data. Malformed inputs passed to certain AAA endpoints cause a write beyond the intended memory buffer.

This overflow can crash the process, but under the right conditions, it can also allow attackers to manipulate the program’s control flow. The vulnerable code likely resembles:

char buffer[512];  
strcpy(buffer, user_supplied_input); // NO boundary check  

Once exploited, the overflow allows the attacker to crash the authentication service or potentially execute arbitrary code with elevated privileges.

CVE-2025-5777: Token Theft via Memory Disclosure

The second flaw is an out-of-bounds read that exposes sensitive memory data from unauthenticated requests. When malformed session payloads are processed, NetScaler may return data from memory blocks that include session tokens, usernames, or SAML assertions.

This behavior closely resembles CitrixBleed (CVE-2023-4966), where attackers stole live authentication tokens and bypassed multi-factor authentication. The key difference is that this new version doesn’t leave traces—no crashes, no logs—just silent memory exfiltration.

Risks and Implications

CVE-2025-6543 can be used to crash the VPN Gateway service, resulting in immediate Denial of Service. In more advanced attacks, the vulnerability could lead to remote code execution (RCE) if heap memory is manipulated effectively.

CVE-2025-5777, although not as overtly destructive, is perhaps more dangerous. By leaking valid session tokens, attackers can establish VPN connections as legitimate users, bypassing authentication altogether. This makes detection extremely difficult.

Real-World Exploitation

CVE-2025-6543 is already being exploited in the wild. Several organizations have observed NetScaler services crashing and anomalous session activity shortly afterward—consistent with token replay attacks. Thousands of vulnerable appliances remain exposed on the public internet, and exploitation kits are circulating in underground forums.

Attackers are likely combining the crash exploit (6543) with the session hijack (5777) to gain stealth access. The same playbook used in CitrixBleed appears to be in motion again.

What You Should Do

Patch Immediately: Upgrade your appliances to:

• 14.1 → 14.1-47.46
• 13.1 → 13.1-59.19
• 13.1 FIPS/NDcPP → 13.1-37.236

Revoke Active Sessions: Run these commands after patching to terminate any potentially compromised sessions:

kill icaconnection -all
kill pcoipConnection -all

Harden Exposure: Restrict access to management interfaces (NSIP, CLIP, GSLB) and consider enforcing VPN-only admin access. Block direct exposure to /vpn/ and /aaad/ paths if not strictly needed.

Audit Sessions: Investigate login records, especially for:

• Long-duration or never-expiring sessions
• Sessions reused from unusual geolocations
• Admin-level access without corresponding logs

Conclusion

CitrixBleed 2.0 is real. One vulnerability is crashing critical services. The other quietly steals authentication material. Combined, they represent a serious threat to enterprise infrastructure that relies on Citrix NetScaler for secure access.

Don’t delay. Patch now, kill active sessions, and audit logs for signs of compromise. If your Citrix Gateway is exposed to the internet, you are a target—whether you know it or not.