Number: AL25-008
Date: June 26, 2025
Updated: July 9, 2025

Audience

This Alert is intended for IT professionals and managers of notified organizations.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On June 17 and 25, 2025, Citrix published security advisories for critical vulnerabilities, CVE-2025-5349, CVE-2025-5777 and CVE-2025-6543, affecting the following products^{Footnote1Footnote2}:

• NetScaler ADC 12.1-FIPS – versions prior to 12.1-55.328-FIPS
• NetScaler ADC and NetScaler Gateway 14.1 – versions prior to 14.1-47.46
• NetScaler ADC and NetScaler Gateway 13.1 – versions prior to 13.1-59.19
• NetScaler ADC 13.1-FIPS and NDcPP – versions prior to 13.1-37.236-FIPS and NDcPP

NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End-Of-Life (EOL) and are no longer supported.

For CVE-2025-5777 and CVE-2025-6543: NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server for these vulnerabilities to be exploited.

For CVE-2025-5349: An improper access control configured on NetScaler management interface would lead to an access to NSIP, to Cluster Management IP and to local GSLB Site IP.

Citrix reports that exploitation of CVE-2025-6543 against unmitigated appliances has been observed. In response to these vulnerabilities, the Cyber Centre released AV25-350 on June 17^Footnote3 and AV25-374 on June 25, 2025^Footnote4.

The Cyber Centre is aware of online interest and speculation about these vulnerabilities and is publishing this Alert out of an abundance of caution.

Update 1

The Cyber Centre has observed scanning by threat actors for CVE-2025-5777 and has received reports that it is being actively exploited ^Footnote6. Organizations should be aware that patching does not necessarily remove access to their system from threat actors who compromised the device while it was still vulnerable. The Cyber Centre recommends organizations complete a threat hunting exercise using the potential indicators of compromise below regardless of whether you have patched for the mentioned vulnerabilities or not.

Potential Indicators of Compromise

The following indicators of compromise (IoCs) have been shared by the cyber security research community as a starting point for compromise detection.

• Depending on logging configurations, log entries with non-printable characters are a pretty good indicator that something is amiss ^Footnote7.
• The Citrix advisory recommends terminating existing ICA and PCoIP sessions, which leads us to believe that endpoints related to those features are being targeted. Entries for those logs may similarly contain contents of leaked memory, which may or may not include session tokens ^Footnote7.
• Auditing active sessions is also recommended. As an example, a single session being used from multiple client IP addresses could be an indicator that the session may have been compromised ^Footnote7.
  • Active sessions for NetScaler Gateway can be found in the WebUI via “NetScaler Gateway -> Active User Sessions -> Select applicable context -> Continue”
  • Session information can also be viewed on the command line by running commands such as “show sessions” or “show <service> session”
• In Netscaler logs, look for:
  • Repeated POST requests to *doAuthentication* which will each yield 126 bytes of RAM.
  • Requests to doAuthentication.do with “Content-Length: 5”.
  • Lines with *LOGOFF* and user = “*#*” (i.e. # symbol in the username)
• Monitor entries for endpoint logs for contents of leaked memory, which may or may not include session tokens.
• Monitor for the creation of new user accounts, dumping or modifying configuration files, and the installation of Remote Access Tools (RATs)

Suggested actions

The Cyber Centre strongly recommends that organizations using Citrix NetScaler ADC and NetScaler Gateway appliances review the Citrix security bulletins^{Footnote1Footnote2} and update or upgrade the affected systems to the following versions:

• NetScaler ADC and NetScaler Gateway 14.1-47.46 and later.
• NetScaler ADC and NetScaler Gateway 13.1-59.19 and later releases of 13.1.
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP.

Update 1

Citrix has provided the steps to take if NetScaler ADC is suspected to be compromised ^Footnote8, which includes:

• Preserve evidence.
• if possible, avoid switching off the machine in order to preserve the traces needed for investigations.
• Completely isolate the machine concerned from the network, both from the Internet and from the internal network, in order to limit the risk of further unauthorized access and lateral movement.
• Revoke credentials and access.
• Examine all servers and systems to which the NetScaler ADC has connected for signs of compromise.
• Rebuild and restore.
• Rotate restored secrets.
• Harden the device.

In addition, the Cyber Centre strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions^Footnote5.

If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.

References

Serial number:AV25-414
Date:July 9, 2025

On July 9, 2025, Palo Alto Networks published security advisories to address vulnerabilities in multiple products. Included were updates for the following:

• Autonomous Digital Experience Manager 5.6.0 macOS – versions prior to 5.6.7
• GlobalProtect App 6.3 macOS – versions prior to 6.3.3-h1 (6.3.3-c650)
• GlobalProtect App 6.2 macOS – versions prior to 6.2.8-h2 (6.2.8-c243)
• GlobalProtect App 6.2 Linux – versions prior to 6.2.8
• GlobalProtect App 6.1 macOS – all versions
• GlobalProtect App 6.1 Linux – all versions
• GlobalProtect App 6.0 macOS – all versions
• GlobalProtect App 6.0 Linux – all versions
• Prisma Access Browser – versions prior to 137.16.6.120

The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.

• Palo Alto Networks Security Advisories - PAN-SA-2025-0013 Chromium: Monthly Vulnerability Update (July 2025)
• Palo Alto Networks Security Advisories - CVE-2025-0139 Autonomous Digital Experience Manager: Privilege Escalation (PE) Vulnerability
• Palo Alto Networks Security Advisories - CVE-2025-0140 GlobalProtect App: Non Admin User Can Disable the GlobalProtect App
• Palo Alto Networks Security Advisories - CVE-2025-0141 GlobalProtect App: Privilege Escalation (PE) Vulnerability
• Palo Alto Network Security Advisories

Serial number:AV25-413
Date:July 9, 2025

On July 9, 2025, Jenkins published a security advisory to address vulnerabilities in the following products:

• Apica Loadtest Plugin – version 1.10 and prior
• Applitools Eyes Plugin – version 1.16.5 and prior
• Aqua Security Scanner Plugin – version 3.2.8 and prior
• Credentials Binding Plugin – version 687.v619cb_15e923f and prior
• Dead Man's Snitch Plugin – version 0.1 and prior
• Git Parameter Plugin – version 439.vb_0e46ca_14534 and prior
• HTML Publisher Plugin – version 425 and prior
• IBM Cloud DevOps Plugin – version 2.0.16 and prior
• IFTTT Build Notifier Plugin – version 1.2 and prior
• Kryptowire Plugin – version 0.2 and prior
• Nouvola DiveCloud Plugin – version 1.08 and prior
• QMetry Test Management Plugin – version 1.13 and prior
• ReadyAPI Functional Testing Plugin – version 1.11 and prior
• Sensedia Api Platform tools Plugin – version 1.0 and prior
• Statistics Gatherer Plugin – version 2.0.3 and prior
• Testsigma Test Plan run Plugin – version 1.6 and prior
• User1st uTester Plugin – version 1.1 and prior
• VAddy Plugin – version 1.2.8 and prior
• Warrior Framework Plugin – version 1.2 and prior
• Xooa Plugin – version 0.0.7 and prior

The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.

• Jenkins Security Advisory 2025-07-09
• Jenkins Security Advisories

Serial number:AV25-412
Date:July 9, 2025

On July 9, 2025, GitLab published a security advisory to address vulnerabilities in the following:

• GitLab Community Edition (CE) – versions prior to 18.1.2, 18.0.4 and 17.11.6
• GitLab Enterprise Edition (EE) – versions prior to 18.1.2, 18.0.4 and 17.11.6

The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.

• GitLab Patch Release: 18.1.2, 18.0.4, 17.11.6
• GitLab Releases

Serial number:AV25-411
Date:July 9, 2025

On July 8, 2025, Citrix published a security advisory to address a vulnerability in the following products:

• Current Release (CR): Citrix Virtual Apps and Desktops – versions prior to 2503
• Long Term Service Release (LTSR): Citrix Virtual Apps and Desktops – versions 2402 LTSR CU2 and prior

The Cyber Centre encourages users and administrators to review the provided web links and perform the suggested mitigations.

• Citrix Security Advisory – CTX694820
• Citrix Security Advisories

Serial number:AV25-410
Date:July 9, 2025

On July 8, 2025, ServiceNow published a Security Advisory to address a vulnerability in the following product:

• ServiceNow Now Platform – multiple versions

The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.

• CVE-2025-3648 - Data Inference in Now Platform via Conditional ACLs
• ServiceNow security advisories