FortiGuard Labs have observed a significant increase in the explanation attempts targeting the 'Citrix Bleed 2' vulnerability (CVE-2025-5777 & CVE-2025-6543) since July 28, 2025.
These vulnerabilities affect Citrix NetScaler ADC and Citrix NetScaler Gateway. Citrix NetScaler ADC is a network appliance that optimizes and secures application traffic. Citrix NetScaler Gateway provides secure remote access.
CVE-2025-5777 is an out of bound vulnerability which an unauthenticated attacker can send specially crafted request to leak sensitive memory content on the vulnerable appliance.
CVE-2025-5349 is an improper access control vulnerability which an unauthenticated attacker can access management functionality.
CVE-2025-6543 is a critical memory overflow vulnerability which an unauthenticated attacker can trigger and lead to denial of service.
The following versions of NetScaler products are patched against CVE-2025-6543:
NetScaler ADC and NetScaler Gateway 14.1-47.46 and later releases
NetScaler ADC and NetScaler Gateway 13.1-59.19 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP
The following versions of NetScaler products are patched against CVE-2025-5777 and CVE-2025-5349:
NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP
NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS
FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for "Citrix Bleed 2" related activities. IOC source: https://www.fortiguard.com/outbreak-ioc?tag=Citrix%20Bleed%202 All IOCs relating to "Citrix Bleed 2" have been added to Threat Intelligence Intel.
Suricata Coverage
Customers can create custom investigation/detections using the Suricata signatures below: 2063315 -> ET WEB_SPECIFIC_APPS Citrix Netscaler ADC & Gateway Memory Leak CitrixBleed2 (CVE-2025-5777)
