In our recent update to our announcement of CVE 2025-5777, we noted that on July 10, 2025, CISA added CVE-2025-5777 to its Known Exploited Vulnerabilities Catalog. To help customers assess their security posture, we’ve provided additional guidance below.
In unpatched appliances, if attempts to exploit or scan for CVE-2025-5777 have taken place, then there may be some observable artifacts in NetScaler logs. Note that this analysis assumes that syslog is being externally collected and available for the period that is being analyzed. If logs are being analyzed locally, note that the system logs may only be available for a few days prior, as older logs may have been automatically deleted to conserve disk space on the appliance.
Syslog analysis
Search for log lines containing /\"Authentication is rejected for / AND /AAA Message/ AND bytes containing non-ASCII characters (range 128-255). Note these bytes may be escaped when viewed through a log viewer. The strings between the opening and closing ‘/’s can be treated as a regular expression.
If searching locally on MPX or VPX, the following awk command can be used within /var/log:
zcat ns.log.*.gz | awk -v FS='Authentication is rejected for ' '{if($1~/AAA Message/&&$2~/[\x80-\xff]/) print}'
The presence of non-ASCII characters in these lines can indicate exploit attempts.
Session analysis
Administrators and incident responders can also attempt to manually review client IP addresses from certain types of session events. A change in client IP during one session may indicate session theft, although it can also indicate that a user has connected from multiple locations, like switching from office WiFi to a home network. Session theft is plausible but not guaranteed if CVE-2025-5777 is exploited and the likelihood of this depends on the device configuration and the volume and types of traffic that are being processed by NetScaler.
For example, if analyzing VPN sessions (SSLVPN TCPCONNSTAT event):
ns.log.10.gz:Jul 11 10:41:50 <local0.info> 10.0.0.1 07/11/2025:10:41:50 GMT ns 0-PPE-0 : default SSLVPN TCPCONNSTAT 1496 0 : User user1 - Client_ip 10.2.0.20 - Nat_ip 127.0.0.2 - Vserver 10.1.2.32:443 - Source 10.2.0.20:50961 - Destination 127.0.0.1:81 - Start_time "07/11/2025:10:41:50 GMT" - End_time "07/11/2025:10:41:50 GMT" - Duration 00:00:00 - Total_bytes_send 750 - Total_bytes_recv 1200 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "N/A"
It would be expected that the client_ip and the source IP address are the same, as long as the client has not changed how they are connecting to the internet.
Please note that the steps suggested above can be useful in detecting certain potential exploits but the process will not necessarily successfully detect all possible exploits.