A vital NetScaler ADC and Gateway vulnerability dubbed “Citrix Bleed 2” (CVE-2025-5777) is now possible exploited in assaults, in response to cybersecurity agency ReliaQuest, seeing a rise in suspicious periods on Citrix units.
Citrix Bleed 2, named by cybersecurity researcher Kevin Beaumont because of its similarity to the unique Citrix Bleed (CVE-2023-4966), is an out-of-bounds reminiscence learn vulnerability that permits unauthenticated attackers to entry parts of reminiscence that ought to usually be inaccessible.
This might enable attackers to steal session tokens, credentials, and different delicate knowledge from public-facing gateways and digital servers, enabling them to hijack consumer periods and bypass multi-factor authentication (MFA).
Citrix’s advisor additionally confirms this threat, warning customers to finish all ICA and PCoIP periods after putting in security updates to dam entry to any hijacked periods.
The flaw, tracked as CVE-2025-5777, was addressed by Citrix on June 17, 2025, with no studies of energetic exploitation. Nonetheless, Beaumont warned concerning the excessive chance of exploitation earlier this week.
The researcher’s worries now appear justified, as ReliaQuest says with medium confidence that CVE-2025-5777 is already being leveraged in focused assaults.
“Whereas no public exploitation of CVE-2025-5777, dubbed “Citrix Bleed 2,” has been reported, ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to achieve preliminary entry to focused environments,” warns ReliaQuest.
This conclusion relies on the next observations from precise assaults seen lately:
- Hijacked Citrix net periods have been noticed the place authentication was granted with out consumer interplay, indicating attackers bypassed MFA utilizing stolen session tokens.
- Attackers reused the identical Citrix session throughout each reliable and suspicious IP addresses, suggesting session hijacking and replay from unauthorized sources.
- LDAP queries have been initiated post-access, displaying that attackers carried out Lively Listing reconnaissance to map customers, teams, and permissions.
- A number of situations of ADExplorer64.exe ran throughout techniques, indicating coordinated area reconnaissance and connection makes an attempt to varied area controllers.
- Citrix periods originated from knowledge middle IPs related to client VPN suppliers like DataCamp, suggesting attacker obfuscation by way of anonymized infrastructure.
The above is in step with post-exploitation exercise following unauthorized Citrix entry, reinforcing the evaluation that CVE-2025-5777 is being exploited within the wild.
To guard towards this exercise, doubtlessly impacted customers ought to improve to variations 14.1-43.56+, 13.1-58.32+, or 13.1-FIPS/NDcPP 13.1-37.235+ to remediate the vulnerability.
After putting in the most recent firmware, admins ought to terminate all energetic ICA and PCoIP periods, as they might have already been hijacked.
Earlier than killing energetic periods, admins ought to first assessment them for suspicious exercise utilizing the present icaconnection command and NetScaler Gateway > PCoIP > Connections.
After reviewing the energetic periods, admins can then terminate them utilizing these instructions:
kill icaconnection -all
kill pcoipconnection -all
If the instant set up of security updates is unattainable, it is suggested that exterior entry to NetScaler be restricted by way of community ACLs or firewall guidelines.
BleepingComputer contacted Citrix a number of instances concerning the exploitation standing of CVE-2025-5777 however has not acquired any replies.
Patching used to imply complicated scripts, lengthy hours, and limitless fireplace drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch sooner, cut back overhead, and give attention to strategic work — no complicated scripts required.
