In June 2025, Citrix released patches for a critical vulnerability identified as CVE-2025-5777, commonly referred to as CitrixBleed 2. This flaw, with a CVSS score of 9.3, arises from insufficient input validation, leading to out-of-bounds memory reads in NetScaler ADC and NetScaler Gateway devices configured as a Gateway or AAA virtual server. The affected versions include NetScaler ADC 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, and their respective FIPS and NDcPP versions.
Shortly after the patches were released, security firm ReliaQuest reported evidence suggesting active exploitation of this vulnerability in the wild. Indicators observed included unauthorized Citrix web sessions, session reuse across multiple IP addresses, and LDAP queries indicative of Active Directory reconnaissance activities. These signs point to attackers leveraging the flaw to hijack user sessions and bypass multi-factor authentication (MFA).
The vulnerability allows unauthenticated attackers to access sensitive memory regions, potentially exposing session tokens and credentials. This exposure enables session hijacking, granting attackers unauthorized access to systems and data. The flaw’s similarity to the previously exploited CitrixBleed (CVE-2023-4966) has raised significant concerns within the cybersecurity community.
In response to these developments, security researchers from watchTowr and Horizon3.ai have released detailed analyses and exploit code for CVE-2025-5777. These publications provide insights into the technical aspects of the vulnerability and demonstrate methods for exploiting it to retrieve user session tokens. Such information underscores the critical need for organizations to apply the available patches promptly.
Citrix has urged customers to upgrade their NetScaler instances to the patched versions immediately. Additionally, administrators are advised to terminate all active ICA and PCoIP sessions post-upgrade to prevent potential exploitation of any hijacked sessions. This precaution is crucial, as attackers may have already obtained session tokens prior to the application of patches.
The release of exploit code and technical details for CitrixBleed 2 highlights the urgency for organizations to address this vulnerability. Failure to do so could result in unauthorized access, data breaches, and significant operational disruptions. Organizations are encouraged to follow Citrix’s guidance, apply the necessary patches, and implement additional security measures to safeguard their systems against potential attacks.
