A critical security vulnerability, designated as CVE-2025-5777 and colloquially termed CitrixBleed 2, has been identified in Citrix NetScaler ADC and Gateway devices. This flaw enables unauthenticated attackers to extract sensitive information directly from the device’s memory, potentially leading to session hijacking and the circumvention of multi-factor authentication (MFA) mechanisms.
Understanding CVE-2025-5777:
CVE-2025-5777 is an out-of-bounds memory read vulnerability resulting from insufficient input validation. It affects NetScaler devices configured as:
– VPN virtual servers
– ICA Proxy
– Clientless VPN (CVPN)
– RDP Proxy
– AAA authentication endpoints
The vulnerability allows attackers to access memory regions containing session tokens, credentials, and other authentication secrets. By exploiting this flaw, malicious actors can hijack user sessions and bypass MFA, granting unauthorized access to enterprise networks.
Active Exploitation Indicators:
Cybersecurity firm ReliaQuest has observed evidence suggesting that CVE-2025-5777 is being actively exploited. Indicators include:
– Hijacked Citrix web sessions where authentication was granted without user interaction, indicating MFA bypass.
– Session reuse across multiple IP addresses, both legitimate and suspicious, suggesting session hijacking.
– LDAP queries indicative of Active Directory reconnaissance.
– Multiple instances of ADExplorer64.exe, a tool used for domain reconnaissance.
– Citrix sessions originating from data center IPs associated with consumer VPN providers, indicating attacker obfuscation.
These activities are consistent with post-exploitation behavior following unauthorized Citrix access.
Proof-of-Concept Release:
Security researchers have released a proof-of-concept (PoC) demonstrating the exploitation of CVE-2025-5777. The PoC involves sending a malformed HTTP request to the Citrix Gateway login endpoint, triggering a memory leak that exposes uninitialized variables containing sensitive data. This release raises concerns about potential widespread exploitation, as it provides attackers with a blueprint for leveraging the vulnerability.
Mitigation Measures:
Citrix has released security updates to address CVE-2025-5777. Affected versions include:
– NetScaler ADC and Gateway 14.1 before 14.1-43.56
– NetScaler ADC and Gateway 13.1 before 13.1-58.32
– NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.235
– NetScaler ADC 12.1-FIPS before 12.1-55.328
Organizations are urged to upgrade to the latest versions immediately. After applying the updates, administrators should terminate all active ICA and PCoIP sessions to prevent potential session hijacking. This can be accomplished using the following commands:
“`
kill icaconnection -all
kill pcoipconnection -all
“`
For organizations unable to apply the updates promptly, it is recommended to limit external access to NetScaler devices via network ACLs or firewall rules.
Historical Context:
The original CitrixBleed vulnerability (CVE-2023-4966) was extensively exploited in 2023 by ransomware groups and nation-state actors, leading to significant breaches. The emergence of CitrixBleed 2 underscores the importance of proactive vulnerability management and prompt patching to mitigate potential threats.
Conclusion:
The release of a proof-of-concept for CVE-2025-5777, coupled with indicators of active exploitation, necessitates immediate action from organizations utilizing Citrix NetScaler devices. By applying the recommended updates and implementing additional security measures, organizations can protect their networks from potential breaches and unauthorized access.
