A vital NetScaler ADC and Gateway vulnerability dubbed “Citrix Bleed 2” (CVE-2025-5777) is now possible exploited in assaults, in accordance with cybersecurity agency ReliaQuest, seeing a rise in suspicious periods on Citrix gadgets.
Citrix Bleed 2, named by cybersecurity researcher Kevin Beaumont on account of its similarity to the unique Citrix Bleed (CVE-2023-4966), is an out-of-bounds reminiscence learn vulnerability that permits unauthenticated attackers to entry parts of reminiscence that ought to sometimes be inaccessible.
This might enable attackers to steal session tokens, credentials, and different delicate knowledge from public-facing gateways and digital servers, enabling them to hijack person periods and bypass multi-factor authentication (MFA).
Citrix’s advisor additionally confirms this danger, warning customers to finish all ICA and PCoIP periods after putting in safety updates to dam entry to any hijacked periods.
The flaw, tracked as CVE-2025-5777, was addressed by Citrix on June 17, 2025, with no experiences of lively exploitation. Nonetheless, Beaumont warned in regards to the excessive probability of exploitation earlier this week.
The researcher’s worries now appear justified, as ReliaQuest says with medium confidence that CVE-2025-5777 is already being leveraged in focused assaults.
“Whereas no public exploitation of CVE-2025-5777, dubbed “Citrix Bleed 2,” has been reported, ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to realize preliminary entry to focused environments,” warns ReliaQuest.
This conclusion is predicated on the next observations from precise assaults seen not too long ago:
- Hijacked Citrix internet periods had been noticed the place authentication was granted with out person interplay, indicating attackers bypassed MFA utilizing stolen session tokens.
- Attackers reused the identical Citrix session throughout each authentic and suspicious IP addresses, suggesting session hijacking and replay from unauthorized sources.
- LDAP queries had been initiated post-access, displaying that attackers carried out Energetic Listing reconnaissance to map customers, teams, and permissions.
- A number of situations of ADExplorer64.exe ran throughout methods, indicating coordinated area reconnaissance and connection makes an attempt to numerous area controllers.
- Citrix periods originated from knowledge heart IPs related to client VPN suppliers like DataCamp, suggesting attacker obfuscation through anonymized infrastructure.
The above is in keeping with post-exploitation exercise following unauthorized Citrix entry, reinforcing the evaluation that CVE-2025-5777 is being exploited within the wild.
To guard towards this exercise, doubtlessly impacted customers ought to improve to variations 14.1-43.56+, 13.1-58.32+, or 13.1-FIPS/NDcPP 13.1-37.235+ to remediate the vulnerability.
After putting in the newest firmware, admins ought to terminate all lively ICA and PCoIP periods, as they might have already been hijacked.
Earlier than killing lively periods, admins ought to first evaluation them for suspicious exercise utilizing the present icaconnection command and NetScaler Gateway > PCoIP > Connections.
After reviewing the lively periods, admins can then terminate them utilizing these instructions:
kill icaconnection -all
kill pcoipconnection -allIf the quick set up of safety updates is unimaginable, it is suggested that exterior entry to NetScaler be restricted through community ACLs or firewall guidelines.
In response to our questions as as to whether CVE-2025-5777 is being actively exploited, Citrix referred us again to a weblog publish printed yesterday the place they state that they see no indicators of exploitation.
“At the moment, there isn’t a proof to counsel exploitation of CVE-2025-5777,” reads the Citrix publish.
Nonetheless, one other Citrix vulnerability, tracked as CVE-2025-6543 is being exploited in assaults to trigger a denial of service situation on NetScaler gadgets.
Citrix says that this flaw and the CVE-2025-5777 flaw are in the identical module however are completely different bugs.
Replace 6/27/25: Added details about Citrix’s weblog publish.
Patching used to imply complicated scripts, lengthy hours, and infinite fireplace drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch quicker, scale back overhead, and concentrate on strategic work — no complicated scripts required.
