A current vulnerability in Citrix NetScaler ADC and Gateway is dubbed “CitrixBleed 2,” after its similarity to an older exploited flaw that allowed unauthenticated attackers to hijack authentication session cookies from weak units.
Final week, Citrix printed a security bulletin warning about flaws tracked as CVE-2025-5777 and CVE-2025-5349 that impression NetScaler ADC and Gateway variations earlier than 14.1-43.56, releases earlier than 13.1-58.32, and likewise 13.1-37.235-FIPS/NDcPP and a couple of.1-55.328-FIPS.
The CVE-2025-5777 is a essential flaw that’s brought on by out-of-bounds reminiscence learn, permitting unauthenticated assaults to entry parts of reminiscence that they need to not have entry to.
This flaw impacts NetScaler units which are configured as a Gateway (VPN digital server, ICA Proxy, Clientless VPN (CVPN), RDP Proxy) or an AAA digital server.
Cybersecurity researcher Kevin Beaumont says the flaw echoes the notorious ‘CitrixBleed’ vulnerability (CVE-2023-4966), which was extensively exploited by menace actors, together with ransomware and authorities assaults.
Beaumont characterised CVE-2025-5777 as ‘CitrixBleed 2,’ stating that the flaw may permit attackers to probably entry session tokens, credentials, and different delicate knowledge from public-facing gateways and digital servers.
Leaked tokens may be replayed to hijack consumer classes and bypass multi-factor authentication (MFA).
The identical security bulletin lists a second, high-severity flaw tracked as CVE-2025-5349.
That is an improper entry management downside within the NetScaler Administration Interface, exploitable if the attacker has entry to the NSIP (NetScaler Administration IP), Cluster Administration IP, or Native GSLB Website IP.
To deal with each dangers, customers are really useful to put in NetScaler ADC and Gateway 14.1-43.56, 13.1-58.32 and later, 13.1-NDcPP 13.1-37.235 (FIPS), and 12.1-55.328 (FIPS).
Whereas Citrix has not said whether or not these flaws are being actively exploited, they do advocate that admins terminate all lively ICA and PCoIP classes as quickly as all home equipment have been up to date. This recommendation was additionally given by Citrix concerning the unique CitrixBleed flaws.
Earlier than killing lively classes, admins ought to first evaluate present classes for suspicious exercise utilizing the present icaconnection command and NetScaler Gateway > PCoIP > Connections to see PCoIP classes.
After reviewing the lively classes, admins ought to then terminate them utilizing these instructions:
kill icaconnection -all
kill pcoipconnection -all
In a LinkedIn publish, Mandiant CTO Charles Carmakal warns that it’s important to kill classes after updating units to stop beforehand stolen classes from getting used even after units are not weak.
“Many organizations didn’t terminate classes when remediating an analogous vulnerability in 2023 (CVE-2023-4966 aka “Citrix Bleed”),” warns Carmakal.
“In these instances, session secrets and techniques had been stolen earlier than corporations patched, and the classes had been hijacked after the patch. A lot of these compromises resulted in nation-state espionage or ransomware deployment.”
The failings additionally impression end-of-life ADC / Gateway 12.1 (non-FIPS) and ADC / Gateway 13.0, which won’t be receiving patches. These nonetheless utilizing these variations ought to improve to an actively supported launch as quickly as attainable.
Beaumont’s web scans return over 56,500 publicly uncovered NetScaler ADC and Gateway endpoints, although what share of these are working variations weak to CVE-2025-5349 and CVE-2025-5777 is unknown.
Patching used to imply advanced scripts, lengthy hours, and countless hearth drills. Not anymore.
On this new information, Tines breaks down how trendy IT orgs are leveling up with automation. Patch quicker, scale back overhead, and concentrate on strategic work — no advanced scripts required.
