Threat Response - Vulnerability in SonicOS

Dutch follows English

On June 17 2025, Citrix published an advisory regarding two vulnerabilities [1]. Two critical vulnerabilities in NetScaler ADC and NetScaler Gateway appliances allow attackers to gain unauthorized access to certain parts of the system and lead to an Out-of-bounds Read. We previously emailed you about these vulnerabilities and the advice to apply the patch quickly. Since then, these vulnerabilities have been abused at scale both by nation-state actors and by other actors. If you did not patch in time, you can assume your devices have been compromised and you should act accordingly.

Description 

On June 17, Citrix published on the vulnerabilities in their products and made patches available. As early as June 20, a threat actor that is presumably a Chinese nation-state actor started exploiting the vulnerability in a targeted way [2]. On July 4, a public proof-of-concept exploit was published, that enabled everybody to develop exploits and scanners. Since then, numerous actors have exploited the vulnerability, and threat intel providers have used this exploitation to retro-actively spot exploitation prior to July 4, resulting in the intelligence on Chinese actors.

Impact 

The impact of this vulnerability is high: it allows attackers to obtain valid session tokens and hijack existing sessions, or setup new sessions with the privileges of the users associated with the stolen tokens. Exploitation is not trivial but not too hard either.

Risk 

If you did not patch your vulnerable Netscalers prior to July 4, you should assume they have been compromised. If you did not patch your vulnerable Netscalers prior to June 20 and you are potentially of interest to Chinese nation state actors, you should investigate under the assumption of compromise.
 

Mitigation 

Follow the patching advice previously described in our TR [3].

What should you do? 

If you have not patched your vulnerable Netscaler devices yet, we recommend taking them offline directly and investigating compromise of the devices and the IT they give access to. The likelihood of compromise is high at this point, and attackers who gain access through these Netscaler devices will most likely have access to systems behind that for some time now.

If you patched after June 20, we recommend that you investigate your logs for signs of compromise using published indicators [4]. Additionally, you can search for a mismatch between the IP address that started a user session and the IP address from which user sessions were used. This mismatch is an indication of a session being hijacked by an attacker.

If you spot anomalies in IP addresses in this way, or if you find signs of compromise using the recommended searches [4], we recommend that you contact our CERT for an investigation into a possible breach.

What will Northwave do? 

Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure.  

We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information. 

 
E-mail: soc@northwave-cybersecurity.com
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
 

Disclaimer applies, see below. 

Sources 

[1]: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420  

[2]: https://doublepulsar.com/citrixbleed-2-situation-update-everybody-already-got-owned-503c6d06da9f

[3]: https://northwave-cybersecurity.com/threat-response-critical-vulnerabilities-in-citrix-netscaler-adc-and-netscaler-gateway

[4]: https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71

Disclaimer applies, see below. 

Sources 

[1]: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

[2]: https://advisories.ncsc.nl/advisory?id=NCSC-2025-0204