CyberSecurity news
FlagThis
@socprime.com
//
A critical vulnerability, identified as CVE-2025-5777 and nicknamed "CitrixBleed 2," has been discovered in Citrix NetScaler ADC and Gateway. This memory disclosure vulnerability allows unauthenticated remote attackers to extract sensitive information, including session tokens and credentials, from affected devices. Security researchers and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirm that this flaw is being actively exploited in the wild. The vulnerability is particularly concerning due to its similarity to the infamous CVE-2023-4966, or "CitrixBleed," which also led to widespread exploitation and session hijacking. The ease of exploitation and the potential for bypassing multi-factor authentication (MFA) make this a significant threat to organizations globally.
Exploitation of CitrixBleed 2 reportedly began as early as mid-June, with proof-of-concept exploits now publicly available. This has led to a surge in scanning activity as attackers search for vulnerable systems. The U.S. government has been alerted to the severity of the threat, with CISA issuing an urgent directive for federal agencies to patch their NetScaler systems within 24 hours. Despite this, concerns remain that a significant portion of Citrix customers have not yet applied the necessary patches, mirroring the delayed response seen during the previous CitrixBleed crisis. The ability for attackers to hijack existing user sessions and gain unauthorized access to critical systems highlights the urgent need for immediate mitigation.
The technical details of CVE-2025-5777 reveal that it stems from insufficient input validation, leading to memory overreads when NetScaler is configured as a Gateway or an AAA virtual server. Attackers can trigger a memory leak by sending specially crafted HTTP requests to the NetScaler login endpoint. The leaked memory can contain sensitive session tokens, allowing attackers to impersonate authenticated users and bypass MFA, thereby gaining access to internal networks. The potential consequences of successful exploitation range from data breaches and ransomware attacks to the disruption of critical operations across various sectors, including finance and healthcare. Organizations are strongly advised to update their Citrix NetScaler devices to the latest fixed versions immediately.
ImgSrc: socprime.com
References :
Exploitation of CitrixBleed 2 reportedly began as early as mid-June, with proof-of-concept exploits now publicly available. This has led to a surge in scanning activity as attackers search for vulnerable systems. The U.S. government has been alerted to the severity of the threat, with CISA issuing an urgent directive for federal agencies to patch their NetScaler systems within 24 hours. Despite this, concerns remain that a significant portion of Citrix customers have not yet applied the necessary patches, mirroring the delayed response seen during the previous CitrixBleed crisis. The ability for attackers to hijack existing user sessions and gain unauthorized access to critical systems highlights the urgent need for immediate mitigation.
The technical details of CVE-2025-5777 reveal that it stems from insufficient input validation, leading to memory overreads when NetScaler is configured as a Gateway or an AAA virtual server. Attackers can trigger a memory leak by sending specially crafted HTTP requests to the NetScaler login endpoint. The leaked memory can contain sensitive session tokens, allowing attackers to impersonate authenticated users and bypass MFA, thereby gaining access to internal networks. The potential consequences of successful exploitation range from data breaches and ransomware attacks to the disruption of critical operations across various sectors, including finance and healthcare. Organizations are strongly advised to update their Citrix NetScaler devices to the latest fixed versions immediately.
ImgSrc: socprime.com
Share:
References :
- labs.watchtowr.com: Blog post detailing the Citrix NetScaler memory disclosure vulnerability (CitrixBleed 2) and its potential impact.
- socprime.com: Article discussing the detection and exploitation of CVE-2025-5777 in Citrix NetScaler ADC.
- Wiz Blog | RSS feed: Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know
- Kevin Beaumont: First exploitation details for CVE-2025-5777 - the Netscaler vuln - are out. If you call the login page, it leaks memory in the response 🤣 I don’t want to specify too much extra technical info on this yet - but if you keep leaking the memory via requests, there’s a way to reestablish existing ICA sessions from the leaked memory.
- SOC Prime Blog: CVE-2025-5777 Detection: A New Critical Vulnerability Dubbed “CitrixBleed 2†in NetScaler ADC Faces Exploitation Risk
- Resources-2: ​​CVE-2025-5777: Citrix Bleed 2 Memory Leak Vulnerability Explained
- gbhackers.com: CitrixBleed 2 Vulnerability PoC Published – Experts Warn of Mass Exploitation Risk
- The Register - Security: CitrixBleed 2 exploits are on the loose as security researchers yell and wave their hands
- Talkback Resources: CVE-2025-5777: CitrixBleed 2 Exploit Deep Dive by Horizon3.ai [exp]
- Glenn ?: Thanks to Horizon3, we pushed a tag out today for CitrixBleed 2 CVE-2025-5777 and are backfilling
- horizon3.ai: Horizon3.ai
- doublepulsar.com: CitrixBleed 2 exploitation started mid-June — how to spot it CitrixBleed 2 — CVE-2025–5777 — has been under active exploitation to hijack Netscaler sessions, bypassing MFA, globally for a month.
- viz.greynoise.io: get on mastodon
- www.stormshield.com: Security alert Citrix NetScaler CVE-2025-5777: Stormshield Products Response
- Stormshield: Security alert Citrix NetScaler CVE-2025-5777: Stormshield Products Response
- Zack Whittaker: New, from me: CISA has given the federal government just one day to patch its NetScaler systems, after confirming "Citrix Bleed 2" is being actively exploited in hacking campaigns. Citrix's advisory, meanwhile, still doesn't mention that the bug is being exploited.
- Blog: CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks
- www.imperva.com: CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks
- techcrunch.com: CISA Confirms Hackers Actively Exploiting Critical Citrix Bleed 2 Bug
- techcrunch.com: The U.S. cybersecurity agency gave federal agencies just one day to patch a security bug in Citrix Netscaler, which can be exploited to break into corporate and government networks.
- www.cybersecuritydive.com: Researchers, CISA confirm active exploitation of critical Citrix Netscaler flaw
Classification:
- HashTags: #CitrixBleed2 #NetScalerADC #CVE-2025-5777
- Company: Citrix
- Target: Citrix NetScaler ADC users
- Product: Citrix NetScaler ADC
- Feature: Memory Management
- Type: Vulnerability
- Severity: Major