This has precipitated confusion within the security group as to which flaw is being focused by attackers, CVE-2025-5777 or CVE-2025-6543, or each. IoCs for CVE-2025-6543 can be found on request from the Citrix Cloud Software program Group, however there was no such info for CVE-2025-5777 till this week, provided that Citrix hasn’t seen any proof of energetic exploits.
Researchers from security companies watchTowr and Horizon3.ai have independently reverse-engineered the patches and have revealed analyses and IoCs for the vulnerability they imagine to be CVE-2025-5777, with the aim of serving to organizations develop detections amid the confusion.
“We have now been actively engaged behind the scenes, sharing info and reproducers with the watchTowr Platform person base, who depend on our expertise to quickly decide their publicity, and quite a few trade our bodies to do our half in a broader international response,” researchers from watchTowr wrote of their in-depth report. “We have now been led to imagine that info sharing within the type of IoCs, exploitation artefacts, and extra objects that might be useful for Citrix NetScaler finish customers has been … ‘minimal,’ which places these customers in a tricky place when figuring out if they should sound an inside alarm.”
