In June 2025, a critical security flaw, designated as CVE-2025-5777 and colloquially known as CitrixBleed 2, was identified in Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices. This vulnerability arises from insufficient input validation, leading to memory overread issues that allow unauthenticated attackers to extract sensitive information directly from the device’s memory. Such information may include session tokens, credentials, and other confidential data, posing a significant risk to organizations relying on these devices for secure network operations.
Technical Overview:
CitrixBleed 2 affects NetScaler ADC and Gateway versions 14.1 before 14.1-43.56 and 13.1 before 13.1-58.32. The flaw is rooted in improper bounds checking within the SSL processing module. By sending specially crafted Datagram Transport Layer Security (DTLS) packets, attackers can trigger out-of-bounds reads, leading to the leakage of memory contents such as credentials, configuration files, or cryptographic keys. This vulnerability is reminiscent of the original CitrixBleed (CVE-2023-4966) disclosed in 2023, which was widely exploited by threat actors, including ransomware groups and state-sponsored entities. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/new-citrixbleed-2-netscaler-flaw-let-hackers-hijack-sessions/?utm_source=openai))
Discovery and Exploitation Timeline:
The vulnerability was first disclosed by Citrix on June 17, 2025, with an accompanying security patch. Despite the availability of this patch, many systems remained unpatched, leaving them susceptible to exploitation. Security researchers observed active exploitation attempts as early as June 23, 2025, nearly two weeks before a public proof-of-concept (PoC) was released on July 4, 2025. This early exploitation underscores the urgency for organizations to implement patches promptly upon their release. ([arstechnica.com](https://arstechnica.com/security/2025/07/critical-citrixbleed-2-vulnerability-has-been-under-active-exploit-for-weeks/?utm_source=openai))
Indicators of Compromise:
Organizations should be vigilant for signs of exploitation, which may include:
– Unauthorized access to Citrix web sessions without user knowledge, indicating potential bypass of multi-factor authentication (MFA).
– Session reuse across multiple IP addresses, including combinations of expected and suspicious IPs.
– Unusual LDAP queries associated with Active Directory reconnaissance activities.
– Presence of tools like ADExplorer64.exe querying domain-level groups and permissions.
– Citrix sessions originating from data-center-hosting IP addresses, suggesting the use of consumer VPN services.
These indicators suggest that attackers are actively exploiting the vulnerability to gain initial access to targeted environments. ([infosecurity-magazine.com](https://www.infosecurity-magazine.com/news/citrixbleed-2-vulnerability/?utm_source=openai))
Mitigation Measures:
To protect against CitrixBleed 2, organizations are strongly advised to:
1. Apply Patches Immediately: Citrix has released patches addressing this vulnerability. Organizations should update their NetScaler ADC and Gateway devices to the latest versions without delay.
2. Terminate Active Sessions Post-Patch: After applying the patch, it’s crucial to terminate all active sessions to prevent attackers from using stolen session tokens. This can be achieved using the commands kill icaconnection -all and kill pcoipConnection -all. ([scworld.com](https://www.scworld.com/news/citrix-patches-critical-0-day-amid-citrixbleed-2-concerns?utm_source=openai))
3. Monitor for Anomalous Activity: Implement continuous monitoring for unusual DTLS traffic with abnormal record length values, which may indicate exploitation attempts.
4. Enhance Network Controls: Deploy network controls that detect or block malformed DTLS records to prevent exploitation.
Regulatory Response:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-5777 to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the severity of the threat. Federal agencies have been mandated to apply the patch within 24 hours, a significantly shorter deadline than the typical 21-day period, underscoring the critical nature of this vulnerability. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/cisa-tags-citrix-bleed-2-as-exploited-gives-agencies-a-day-to-patch/?utm_source=openai))
Conclusion:
The CitrixBleed 2 vulnerability presents a substantial risk to organizations utilizing Citrix NetScaler ADC and Gateway devices. Given the active exploitation and the potential for unauthorized access to sensitive data, immediate action is imperative. By promptly applying patches, terminating active sessions, and enhancing monitoring and network controls, organizations can mitigate the risks associated with this critical vulnerability.
