Table of Contents
On June 17, 2025, Citrix published a security advisory for CVE-2025-5777, followed by CVE-2025-6543 on June 25, 2025. Both are classified as critical and are actively being exploited in the wild.
Threat Overview
- CVE-2025-5777: Critical vulnerability due to improper input validation → leads to memory overread
- CVE-2025-6543: Enables memory overflow, potentially resulting in DoS or arbitrary code execution → Exploits available !
⚠️ Important: Simply applying the firmware update is not enough. You must manually terminate all active ICA and PCoIP sessions after patching to ensure the vulnerability is fully mitigated.
Supported Builds & Upgrade Paths
Legacy versions like 12.1, 13.0, and older are end-of-life (EOL) and will not receive any security patches. You must upgrade to 13.1 or 14.1.
| NetScaler (Citrix ADC) und NetScaler (Citrix) Gateway | ||
|---|---|---|
| Version | Refresh Build | Expected Release Date |
| 13.1 | 13.1.-59.19 | Patch is here |
| 14.1 | 14.1.-43.56 | Patch is here |
Instructions for updating the appliances:
Post-Update: Terminate Active Sessions (CVE-2025-5777)
|
1 2 |
kill icaconnection -all kill pcoipConnection -all |
These commands terminate all sessions that may have been established prior to the patch — they remain vulnerable unless actively closed.
Forensic Analysis: Has Your System Been Compromised?
Even if no attack has been detected, we highly recommend conducting a full system audit. Below is a checklist of 19 key areas with explanations and commands.
1. Determine Last Update Timestamp
|
1 |
ls -ll /var/nsinstall |
Identify the date of the last extracted firmware files. Use (last update date + 1 day) as a reference for all further checks.
2. Check for Modified Files Since Last Update
|
1 2 3 |
find /var/vpn/ -type f -newermt YYYYMMDD -exec ls -l {} \; find /var/netscaler/logon/ -type f -newermt YYYYMMDD -exec ls -l {} \; find /var/python/ -type f -newermt YYYYMMDD -exec ls -l {} \; |
Suspicious modifications (e.g., new PHP files) may indicate tampering or malware.
3. Look for Known Webshells
|
1 |
ls -ll /var/netscaler/logon/a.php |
The presence of a.php is a strong indicator of a known webshell and confirmed compromise.
4. Check GUI Files (Caution!)
|
1 |
find /netscaler/ns_gui/ -type f -name "*.php" -newermt YYYYMMDD -exec ls -l {} \; |
These files may change timestamps during system reboots — use this only as an indicator, not proof.
5. Automated Python Scan for File Changes
|
1 |
python -c "import os, glob, time; newest_timestamp = max(os.stat(f).st_mtime for f in glob.glob('/var/nsinstall/*')); print('\n'.join(os.path.join(dirpath, f) for dir in ['/var/netscaler/logon/', '/var/python/', '/var/vpn/'] for dirpath, _, files in os.walk(dir) for f in files if os.stat(os.path.join(dirpath, f)).st_mtime > newest_timestamp))" |
Quickly identifies files modified after the last update — a useful early indicator.
6. Search for Suspicious PHP Files
|
1 2 3 |
ls -ll /var/nsproflog/*.php ls -ll /var/netscaler/gui/*.php ls -ll /netscaler/portal/*.php |
PHP files in these directories are not standard and typically indicate backdoors or webshells.
7. Check HTTP Error Logs for Exploit Patterns
|
1 2 3 |
zgrep '.sh' /var/log/httperror.log* zgrep '.php' /var/log/httperror.log* zgrep '.pl' /var/log/httperror.log* |
Searches for entries that indicate script calls, in particular.php, .sh or .pl. These can document attacks.
The picture shows that the search for .sh was successful. You can check this directly by looking into the file with an editor of your choice (e.g. vi).
8. Inspect Shell & Bash Logs
|
1 2 |
zgrep -E 'database.php|/flash/nsconfig/keys/updated|/flash/nsconfig/keys|/ns_gui/vpn|LDAPTLS_REQCERT|ldapsearch|openssl|/nsconfig/ns.conf|del /etc/auth.conf|cp /usr/bin/bash|.F1.key|.F2.key|nobody' /var/log/sh.log* zgrep -E 'database.php|/flash/nsconfig/keys/updated|/flash/nsconfig/keys|/ns_gui/vpn|LDAPTLS_REQCERT|ldapsearch|openssl|/nsconfig/ns.conf|del /etc/auth.conf|cp /usr/bin/bash|.F1.key|.F2.key|nobody' /var/log/bash.log* |
These logs store direct shell commands executed by attackers. Access to key files or the use of opensslare particularly dangerous.
9. Identify Suspicious “nobody” Processes
|
1 |
ps aux | grep nobody | grep -v '/bin/httpd' |
Only the internal webserver should run under “nobody”. Any other process is suspicious.
Here is an example of the allowed processes.
And an attacked server. The top line is malware.
10. Crontab Analysis
|
1 2 |
grep '' /etc/crontab crontab -l -u nobody |
No crontab entries should exist for “nobody”.
Legitimate cron jobs (like iprep, aslearn_health_monitor.py, etc.) are documented.
There should be no crontab for nobody.
I have received several community comments that the following entries are also normal:
- /netscaler/adss-licexp.sh –> For trial licenses
- 0/5 * * * * root /netscaler/iprep –> When IP Reputation is in use
- */5 * * * * root /var/python/bin/python /netscaler/aslearn_health_monitor.py –> When app firewall is used
- */5 * * * * root /bin/pgrep -f /netscaler/appfw_dynamic_profiles/appfw_dynamic_profiles.py; [ $? != 0 ] && /var/python/bin/python /netscaler/appfw_dynamic_profiles/appfw_dynamic_profiles.py –> When app firewall is used
11. Analyze HTTP Access Logs
|
1 2 |
zgrep -E -v 'CitrixReceiver' /var/log/httpaccess-vpn.log* | grep ' 200 ' zgrep 'HeadlessChrome' /var/log/httpaccess-vpn.log* |
Look for successful (200) requests to unknown URLs or automated access from headless browsers.
12. Check for Core Dumps
|
1 |
ls -ll /var/core/1 |
Core dumps may indicate crashes caused by memory overflows or exploit activity.
This is what it looks like for an attacked system.
13. Detect Python/Perl-Based Backdoors
|
1 2 |
ps -aux | grep python ps -aux | grep perl |
Run this command twice. Legitimate scheduled tasks may briefly run Python/Perl, but persistent processes are a red flag.
If more than the grep queries shown are seen, the further scripts, should be checked by a Google search.
If something appears, run the command again after a few seconds. Some scheduled tasks on the NetScaler also use python or perl. Only if it still runs on the second call, this should be checked.
These are normal scripts for an NetScaler instance hosted in Azure.
When the StoreFront monitor is used, you will permanently see the following Perl script.
14. CPU Usage — Check for Cryptominers
|
1 |
top -n 10 |
Only NSPPE-xx processes should utilize CPU long-term. Other entries (e.g., xmrig) could indicate mining malware.
15. Network and Firewall Log Review
- Unusual scanning activity on ports 80/443/445
- Spikes in LDAP/DNS/AD connections (ports 389, 53, 88, etc.)
These patterns suggest lateral movement or reconnaissance post-exploit.
16. IOC Detection in Log Files
|
1 |
grep -v '127.0.0' /var/log/*.log | grep 'nc -l|/etc/passwd|curl|python -c|.php' |
Quickly detects known attack indicators across all log files.
This query filters out local IPs and concentrates on suspicious commands in log files.
17. Setuid Files Modified Since Patch
|
1 |
find /var -perm -4000 -user root -not -path "/var/nslog/*" -newermt YYYYMMDD -exec ls -l {} ; |
setuid files in non-standard locations (especially under /var) are highly suspicious.
18. Check nsfsyncd Process (HA Mode)
|
1 |
ps aux | grep nsfsyncd |
On HA systems, nsfsyncd must be running.
If missing: it may have been intentionally disabled during an attack.
On standalone systems, it should not be present.
19. Verify HA Node Health
|
1 |
show ha node |
Confirms the current node roles, sync status, and HA health.
Any mismatch or “unsynchronized” status warrants deeper investigation.
If Your System Is Compromised – Immediate Actions
- Disconnect the NetScaler from the network
- Reset all stored passwords (LDAP, local admin, etc.)
- Reissue SSL certificates and keys
- If using VPX: consider reverting to a clean snapshot
- Preferred: Build a new VPX and import config from backup
- Retain the same MAC address, or relicense the appliance
- Start the new system without network connectivity
- Verify system integrity via console
- Change
nsrootpassword - Reconnect internal network → then external
- Replace all SSL certificates
- Continuously monitor logs and responder activity
Final Thoughts
The Citrix NetScaler threat landscape remains highly volatile.
Patching is not enough — you must validate, review, and respond.
Verify your appliances. Document changes. Take action.
Thanks for putting all these informations together.You mentioned that there are several working exploits have been published. Do you have a source for that?
Sry copy paste error