A vital NetScaler ADC and Gateway vulnerability dubbed “Citrix Bleed 2” (CVE-2025-5777) is now seemingly exploited in assaults, in accordance with cybersecurity agency ReliaQuest, seeing a rise in suspicious periods on Citrix gadgets.
Citrix Bleed 2, named by cybersecurity researcher Kevin Beaumont as a consequence of its similarity to the unique Citrix Bleed (CVE-2023-4966), is an out-of-bounds reminiscence learn vulnerability that permits unauthenticated attackers to entry parts of reminiscence that ought to sometimes be inaccessible.
This might enable attackers to steal session tokens, credentials, and different delicate knowledge from public-facing gateways and digital servers, enabling them to hijack consumer periods and bypass multi-factor authentication (MFA).
Citrix’s advisor additionally confirms this threat, warning customers to finish all ICA and PCoIP periods after putting in safety updates to dam entry to any hijacked periods.
The flaw, tracked as CVE-2025-5777, was addressed by Citrix on June 17, 2025, with no reviews of energetic exploitation. Nonetheless, Beaumont warned concerning the excessive chance of exploitation earlier this week.
The researcher’s worries now appear justified, as ReliaQuest says with medium confidence that CVE-2025-5777 is already being leveraged in focused assaults.
“Whereas no public exploitation of CVE-2025-5777, dubbed “Citrix Bleed 2,” has been reported, ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to achieve preliminary entry to focused environments,” warns ReliaQuest.
This conclusion is predicated on the next observations from precise assaults seen just lately:
Hijacked Citrix internet periods had been noticed the place authentication was granted with out consumer interplay, indicating attackers bypassed MFA utilizing stolen session tokens.
Attackers reused the identical Citrix session throughout each reliable and suspicious IP addresses, suggesting session hijacking and replay from unauthorized sources.
LDAP queries had been initiated post-access, exhibiting that attackers carried out Energetic Listing reconnaissance to map customers, teams, and permissions.
A number of situations of ADExplorer64.exe ran throughout techniques, indicating coordinated area reconnaissance and connection makes an attempt to varied area controllers.
Citrix periods originated from knowledge middle IPs related to shopper VPN suppliers like DataCamp, suggesting attacker obfuscation through anonymized infrastructure.
The above is in line with post-exploitation exercise following unauthorized Citrix entry, reinforcing the evaluation that CVE-2025-5777 is being exploited within the wild.
To guard in opposition to this exercise, probably impacted customers ought to improve to variations 14.1-43.56+, 13.1-58.32+, or 13.1-FIPS/NDcPP 13.1-37.235+ to remediate the vulnerability.
After putting in the most recent firmware, admins ought to terminate all energetic ICA and PCoIP periods, as they could have already been hijacked.
Earlier than killing energetic periods, admins ought to first overview them for suspicious exercise utilizing the present icaconnection command and NetScaler Gateway > PCoIP > Connections.
After reviewing the energetic periods, admins can then terminate them utilizing these instructions:
kill icaconnection -all
kill pcoipconnection -all
If the speedy set up of safety updates is unattainable, it is strongly recommended that exterior entry to NetScaler be restricted through community ACLs or firewall guidelines.
In response to our questions as as to if CVE-2025-5777 is being actively exploited, Citrix referred us again to a weblog put up printed yesterday the place they state that they see no indicators of exploitation.
“At present, there isn’t a proof to recommend exploitation of CVE-2025-5777,” reads the Citrix put up.
Nonetheless, one other Citrix vulnerability, tracked as CVE-2025-6543 is being exploited in assaults to trigger a denial of service situation on NetScaler gadgets.
Citrix says that this flaw and the CVE-2025-5777 flaw are in the identical module however are totally different bugs.
Replace 6/27/25: Added details about Citrix’s weblog put up.
Patching used to imply advanced scripts, lengthy hours, and limitless hearth drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch quicker, scale back overhead, and deal with strategic work — no advanced scripts required.
