This has caused confusion in the security community as to which flaw is being targeted by attackers, CVE-2025-5777 or CVE-2025-6543, or both. IoCs for CVE-2025-6543 are available on request from the Citrix Cloud Software Group, but there has been no such information for CVE-2025-5777 until this week, given that Citrix hasn’t seen any evidence of active exploits.
Researchers from security firms watchTowr and Horizon3.ai have independently reverse-engineered the patches and have published analyses and IoCs for the vulnerability they believe to be CVE-2025-5777, with the goal of helping organizations develop detections amid the confusion.
“We have been actively engaged behind the scenes, sharing information and reproducers with the watchTowr Platform user base, who rely on our technology to rapidly determine their exposure, and numerous industry bodies to do our part in a broader global response,” researchers from watchTowr wrote in their in-depth report. “We have been led to believe that information sharing in the form of IoCs, exploitation artefacts, and more items that would be helpful for Citrix NetScaler end users has been … ‘minimal,’ which puts these users in a tough position when determining if they need to sound an internal alarm.”
