Security researchers have identified active exploitation of a critical vulnerability in Citrix NetScaler appliances, designated as CVE-2025-5777 and commonly referred to as “CitrixBleed 2.” This flaw allows attackers to exfiltrate sensitive data from the device’s memory by sending specially crafted DTLS packets. Notably, malicious activities targeting this vulnerability were detected nearly two weeks prior to the public release of a proof-of-concept (PoC) exploit.
The vulnerability arises from improper bounds checking within the SSL processing module of Citrix NetScaler devices. By leveraging malformed DTLS handshake sequences, attackers can trigger out-of-bounds reads, potentially leaking memory contents such as credentials, configuration files, or cryptographic keys. Initial reconnaissance and attack patterns were first observed on June 23, while the PoC was not released until July 4. This early exploitation underscores the need for proactive threat intelligence and rapid patch management.
Early Detection and Exploitation
Researchers observed initial reconnaissance and attack patterns targeting this vulnerability as early as June 23, 2025. This activity occurred nearly two weeks before the public disclosure of a PoC exploit on July 4, 2025. The early exploitation highlights the importance of proactive threat intelligence and swift patch management to mitigate potential risks.
GreyNoise analysts assigned a dedicated tag to the traffic on July 7, enabling retrospective visibility into pre-PoC attacks across their sensor network. When researchers deployed sensors emulating Citrix NetScaler instances, they recorded anomalous DTLS handshake sequences originating from IP addresses geolocated in China. These packets exhibited malformed length fields that violated the DTLS specification, prompting kernel-level responses and revealing memory fragments.
Technical Details and Impact
The vulnerability carries a CVSS score of 9.8 and stems from improper bounds checking within the SSL processing module. By leveraging malformed DTLS handshake sequences, attackers can trigger out-of-bounds reads, potentially leaking memory contents such as credentials, configuration files, or cryptographic keys. Analysis of threat intelligence feeds revealed a focused campaign against enterprise perimeter devices rather than opportunistic mass scanning. The malicious IPs avoided bulk exploitation, instead selecting specific network blocks likely containing high-value Citrix NetScaler installations. This precision targeting suggests a reconnaissance phase where the attackers fingerprinted appliance versions before launching memory overread attempts, consistent with tactics seen in previous state-affiliated operations.
Mitigation Measures
On July 9, the Cybersecurity and Infrastructure Security Agency (CISA) corroborated GreyNoise findings and added CVE-2025-5777 to the Known Exploited Vulnerabilities (KEV) catalog. CISA’s public advisory urged immediate application of Citrix-provided patches and recommended continuous monitoring for anomalous DTLS traffic with abnormal record length values. The inclusion in the KEV accelerated awareness across U.S. federal and critical infrastructure sectors, driving accelerated mitigation efforts.
To counter ongoing exploitation, defenders are advised to apply Citrix’s firmware update and implement network controls that detect or block malformed DTLS records. By integrating threat intelligence sources directly into security infrastructure, organizations can reduce exposure windows and false positives, maintaining robust protection against CitrixBleed 2 exploitation.
The early exploitation of CitrixBleed 2 before public disclosure underscores the agility of threat actors in leveraging vulnerabilities. Organizations must prioritize proactive threat intelligence and rapid patch management to mitigate such risks effectively. Continuous monitoring and timely application of security updates are essential in defending against sophisticated cyber threats targeting critical infrastructure.