Thousands of internet-exposed Citrix NetScaler instances are exposed to attacks targeting two recently disclosed critical vulnerabilities, including one exploited as a zero-day.
The flaws, tracked as CVE-2025-5777 (CVSS score of 9.3) and CVE-2025-6543 (CVSS score of 9.2), are described as insufficient input validation and memory overflow issues, and impact NetScaler instances configured as a gateway for remote access or an AAA virtual server.
Successful exploitation of the bugs could lead to out-of-bounds memory read, and unintended control flow and denial of service (DoS), respectively.
Shortly after Citrix disclosed CVE-2025–5777 on June 17, security researcher Kevin Beaumont pointed out its similarity to CVE-2023-4966, referred to as CitrixBleed, and warned that tens of thousands of potentially affected instances could be seen on the internet.
Last week, cybersecurity firm ReliaQuest said it was seeing evidence that CVE-2025–5777 may be exploited in the wild for initial access. Referred to as CitrixBleed2, the bug can be exploited to bypass authentication and facilitate session hijacking, the company said.
On June 25, Citrix warned that CVE-2025-6543 had been exploited in the wild as a zero-day, urging immediate patching. The company pointed out that the discontinued NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are affected as well.
On June 30, the US cybersecurity agency CISA added CVE-2025-6543 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch vulnerable instances within their environments by July 21.
Now, both Censys and The Shadowserver Foundation warn that thousands of NetScaler instances potentially vulnerable to at least one of these security defects are exposed to the internet.
Censys says it has seen over 69,000 web-accessible deployments, albeit it could confirm impact from these flaws on only 130 of them.
Data from The Shadowserver Foundation shows that, as of June 29, 1,289 NetScaler servers vulnerable to CVE-2025–5777 and 2,100 instances vulnerable to CVE-2025-6543 were exposed to the internet.
Given the critical severity of these issues and the interest threat actors have shown in exploiting Citrix product vulnerabilities, organizations are advised to patch their NetScaler instances as soon as possible.
Related: Citrix Warns of Password Spraying Attacks Targeting NetScaler Appliances
Related: CISA Warns AMI BMC Vulnerability Exploited in the Wild
Related: Motors Theme Vulnerability Exploited to Hack WordPress Websites
