cbcvebase.
CVE-2025-5777
published 2025-06-17

CVE-2025-5777: Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA…

PriorityP193high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2025-07-11
Exploited in the wild
EPSS
99.90%
100.0th percentile
Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

Affected

17 ranges
VendorProductVersion rangeFixed in
citrixcitrix_adm
citrixcitrix_hypervisor
citrixcitrix_virtual_apps_and_desktops
citrixendpoint_management
citrixnetscaler_adc
citrixnetscaler_application_delivery_controller>= 12.1 < 12.1-55.32812.1-55.328
citrixnetscaler_application_delivery_controller>= 13.1 < 13.1-37.23513.1-37.235
citrixnetscaler_application_delivery_controller>= 13.1 < 13.1-58.3213.1-58.32
citrixnetscaler_application_delivery_controller>= 14.1 < 14.1-43.5614.1-43.56
citrixnetscaler_gateway
citrixnetscaler_gateway>= 13.1 < 13.1-58.3213.1-58.32
citrixnetscaler_gateway>= 14.1 < 14.1-43.5614.1-43.56
citrixxenserver
netscaleradc>= 13.1 < 58.3258.32
netscaleradc>= 14.1 < 43.5643.56
netscalergateway>= 13.1 < 58.3258.32
netscalergateway>= 14.1 < 43.5643.56

Detection & IOCsextracted from sources · hover to see the quote

cookieNSC_TASS
url/saml/login
url/cgi/GetAuthMethods
  • Monitor for HTTP requests to /cgi/GetAuthMethods — attackers are probing this endpoint to fingerprint authentication methods and determine if NetScaler is configured as a SAML IDP prior to exploitation.
  • Detect crafted SAMLRequest payloads sent to /saml/login that omit the AssertionConsumerServiceURL field — this is the exploitation trigger for the memory overread.
  • Inspect HTTP responses for the NSC_TASS cookie containing Base64-encoded data — on a vulnerable device this cookie carries leaked memory contents.
  • Detect requests to /wsfed/passive where the 'wctx' query string parameter is present but has no value and lacks the '=' symbol — this triggers the second memory overread variant.
  • On a patched NetScaler, a request to /saml/login with the malformed SAMLRequest returns the string 'Parsing of presented Assertion failed; Please contact your administrator.' — absence of this response on an unpatched device indicates vulnerability.
  • Hunt for signs of post-exploitation compromise: atypical file creation dates, duplicate file names with different extensions, and absence of PHP files in expected folders.
  • Use the NCSC-released GitHub script to scan NetScaler devices for unusual PHP and XHTML files and other IOCs associated with post-exploitation activity.
  • Monitor for stolen session tokens being used to hijack user sessions and bypass MFA on NetScaler Gateway or AAA virtual servers — a key post-exploitation indicator for CVE-2025-5777.
  • ·Exploitation of the /saml/login and /wsfed/passive endpoints (related CVE-2026-3055) additionally requires the appliance to be configured as a SAML Identity Provider (SAML IDP).
  • ·After patching, all active sessions must be terminated using the prescribed CLI commands to invalidate any already-stolen session tokens; patching alone does not revoke hijacked sessions.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.