virus logo Threat Signal Report

Citrix NetScaler ADC and NetScaler Gateway Vulnerabilities

What is the Vulnerability?

Citrix has published security advisories addressing three critical vulnerabilities, CVE-2025-6543, CVE-2025-5349, and CVE-2025-5777, affecting the NetScaler ADC and NetScaler Gateway under specific preconditions.

CVE-2025-6543: A memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Citrix reports that exploitation of CVE-2025-6543 against unmitigated appliances has been observed.

CVE-2025-5349: An improper access control on the NetScaler Management Interface.

CVE-2025-5777: A flaw due to insufficient input validation, potentially causing memory overreads. On July 10, 2025, the vulnerability was added to CISA's Known Exploited Catalog, based on exploitation in the wild.

What is the recommended Mitigation?

The organizations using Citrix NetScaler ADC and NetScaler Gateway appliances are strongly recommended to:

  • Review the official Citrix security bulletins linked below.

  • Apply all relevant patches and updates as soon as possible.

  • Monitor for any suspicious activity.

What FortiGuard Coverage is available?

  • FortiGuard recommends that users apply the vendor's provided fix and follow the instructions outlined in the vendor’s advisory.

  • FortiGuard IPS protection has been released to detect and block attacks related to CVE-2025-5777. Intrusion Prevention | FortiGuard Labs
    The rest of the IPS coverage is currently under evaluation and will be updated as signatures become available.

  • The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

description-logoOutbreak Alert

FortiGuard Labs has observed a sharp increase in exploitation attempts targeting the 'Citrix Bleed 2' vulnerability since July 28, 2025. Telemetry indicates activity has surged to over 6,000 detections across IPS sensors globally. The majority of observed attacks are concentrated in the United States, Australia, Germany, and the United Kingdom, with adversaries primarily focusing on high-value sectors such as technology, banking, healthcare, and education.

View the full Outbreak Alert Report

This report provides an overview of ongoing Iran-linked cyber operations, highlighting activity attributed to state-aligned proxies and hacktivist groups. The vulnerabilities listed are suspected to be exploited by actors associated with Iran in real-world campaigns, consistent with observed tactics, techniques, and procedures (TTPs). Iran-linked operations continue to rely on distributed, lower-complexity techniques, including phishing, DDoS, data exfiltration, and destructive attacks. Initial access is primarily achieved through exploitation of known, unpatched vulnerabilities and exposed edge infrastructure, reflecting a persistent and opportunistic threat posture targeting government, critical infrastructure, and enterprise environments.

View the full Outbreak Alert Report

Additional Resources

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-5349 and CVE-2025-5777
NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-6543


Released Date Jun 26, 2025
Updated Date Jul 10, 2025
Tags Citrix Bleed 2 Iran-linked Cyber Attacks Threat Signal Vulnerability
CVE ID


Experienced a Breach? We're here to help

FortiGuard Incident Response Services
FortiGuard Incident Response Services
Outbreak Alert Outbreak Alert
About FortiGuard Threat Signal

Learn More »