CyberSecurity news

FlagThis - #citrix

@socprime.com //
A critical vulnerability, identified as CVE-2025-5777 and nicknamed "CitrixBleed 2," has been discovered in Citrix NetScaler ADC and Gateway. This memory disclosure vulnerability allows unauthenticated remote attackers to extract sensitive information, including session tokens and credentials, from affected devices. Security researchers and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirm that this flaw is being actively exploited in the wild. The vulnerability is particularly concerning due to its similarity to the infamous CVE-2023-4966, or "CitrixBleed," which also led to widespread exploitation and session hijacking. The ease of exploitation and the potential for bypassing multi-factor authentication (MFA) make this a significant threat to organizations globally.

Exploitation of CitrixBleed 2 reportedly began as early as mid-June, with proof-of-concept exploits now publicly available. This has led to a surge in scanning activity as attackers search for vulnerable systems. The U.S. government has been alerted to the severity of the threat, with CISA issuing an urgent directive for federal agencies to patch their NetScaler systems within 24 hours. Despite this, concerns remain that a significant portion of Citrix customers have not yet applied the necessary patches, mirroring the delayed response seen during the previous CitrixBleed crisis. The ability for attackers to hijack existing user sessions and gain unauthorized access to critical systems highlights the urgent need for immediate mitigation.

The technical details of CVE-2025-5777 reveal that it stems from insufficient input validation, leading to memory overreads when NetScaler is configured as a Gateway or an AAA virtual server. Attackers can trigger a memory leak by sending specially crafted HTTP requests to the NetScaler login endpoint. The leaked memory can contain sensitive session tokens, allowing attackers to impersonate authenticated users and bypass MFA, thereby gaining access to internal networks. The potential consequences of successful exploitation range from data breaches and ransomware attacks to the disruption of critical operations across various sectors, including finance and healthcare. Organizations are strongly advised to update their Citrix NetScaler devices to the latest fixed versions immediately.

Recommended read:
References :
  • labs.watchtowr.com: Blog post detailing the Citrix NetScaler memory disclosure vulnerability (CitrixBleed 2) and its potential impact.
  • socprime.com: Article discussing the detection and exploitation of CVE-2025-5777 in Citrix NetScaler ADC.
  • Wiz Blog | RSS feed: Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know
  • Kevin Beaumont: First exploitation details for CVE-2025-5777 - the Netscaler vuln - are out. If you call the login page, it leaks memory in the response 🤣 I don’t want to specify too much extra technical info on this yet - but if you keep leaking the memory via requests, there’s a way to reestablish existing ICA sessions from the leaked memory.
  • SOC Prime Blog: CVE-2025-5777 Detection: A New Critical Vulnerability Dubbed “CitrixBleed 2†in NetScaler ADC Faces Exploitation Risk
  • Resources-2: ​​CVE-2025-5777: Citrix Bleed 2 Memory Leak Vulnerability Explained
  • gbhackers.com: CitrixBleed 2 Vulnerability PoC Published – Experts Warn of Mass Exploitation Risk
  • The Register - Security: CitrixBleed 2 exploits are on the loose as security researchers yell and wave their hands
  • Talkback Resources: CVE-2025-5777: CitrixBleed 2 Exploit Deep Dive by Horizon3.ai [exp]
  • Glenn ?: Thanks to Horizon3, we pushed a tag out today for CitrixBleed 2 CVE-2025-5777 and are backfilling
  • horizon3.ai: Horizon3.ai
  • doublepulsar.com: CitrixBleed 2 exploitation started mid-June — how to spot it CitrixBleed 2 — CVE-2025–5777 — has been under active exploitation to hijack Netscaler sessions, bypassing MFA, globally for a month.
  • viz.greynoise.io: get on mastodon
  • www.stormshield.com: Security alert Citrix NetScaler CVE-2025-5777: Stormshield Products Response
  • Stormshield: Security alert Citrix NetScaler CVE-2025-5777: Stormshield Products Response
  • Zack Whittaker: New, from me: CISA has given the federal government just one day to patch its NetScaler systems, after confirming "Citrix Bleed 2" is being actively exploited in hacking campaigns. Citrix's advisory, meanwhile, still doesn't mention that the bug is being exploited.
  • Blog: CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks
  • www.imperva.com: CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks
  • techcrunch.com: CISA Confirms Hackers Actively Exploiting Critical Citrix Bleed 2 Bug
  • techcrunch.com: The U.S. cybersecurity agency gave federal agencies just one day to patch a security bug in Citrix Netscaler, which can be exploited to break into corporate and government networks.
  • www.cybersecuritydive.com: Researchers, CISA confirm active exploitation of critical Citrix Netscaler flaw

@socprime.com //
Citrix NetScaler ADC and Gateway systems are currently facing a critical security threat, identified as CVE-2025-5777, and widely nicknamed "CitrixBleed 2". This vulnerability, similar to the infamous CitrixBleed from 2023, allows unauthenticated attackers to exploit memory overread issues. This exploitation can lead to the disclosure of sensitive information, including session tokens and user credentials, enabling attackers to bypass multi-factor authentication and hijack active remote sessions. Security researchers have noted that exploitation of this flaw began as early as mid-June, with evidence pointing to its use in active hacking campaigns.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-5777 to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. This designation carries significant weight, and CISA has issued a stern warning, urging federal civilian agencies to apply necessary patches within 24 hours. The urgency stems from the understanding that vulnerabilities like this are frequent vectors for malicious cyber actors, posing a substantial risk to government and corporate networks. While Citrix initially released guidance and patches in June, concerns have been raised about the vendor's response in acknowledging the widespread exploitation of this critical flaw.

The exploitation of CitrixBleed 2, alongside other critical vulnerabilities like CVE-2025-5349 and CVE-2025-6543, presents a significant risk to organizations. CVE-2025-5777 specifically allows attackers to steal session tokens, effectively enabling them to impersonate authenticated users and bypass security measures like MFA. This is a direct echo of the impact of the original CitrixBleed vulnerability, which was widely abused by nation-state actors and ransomware groups. The ongoing exploitation means that a considerable portion of the Citrix NetScaler user base may still be vulnerable, underscoring the critical need for immediate patching and diligent security practices.

Recommended read:
References :
  • Wiz Blog | RSS feed: Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know
  • labs.watchtowr.com: How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777) - watchTowr Labs
  • socprime.com: CVE-2025-5777 Detection: A New Critical Vulnerability Dubbed “CitrixBleed 2†in NetScaler ADC Faces Exploitation Risk
  • SOC Prime Blog: CVE-2025-5777 Detection: A New Critical Vulnerability Dubbed “CitrixBleed 2†in NetScaler ADC Faces Exploitation Risk
  • Talkback Resources: CVE-2025-5777: CitrixBleed 2 Write-Up… Maybe?
  • Resources-2: ​​CVE-2025-5777: Citrix Bleed 2 Memory Leak Vulnerability Explained
  • Glenn ?: 🥜 & - Thanks to Horizon3, we pushed a tag out today for CitrixBleed 2 CVE-2025-5777 and are backfilling.
  • community.emergingthreats.net: Citrix Netscaler ADC & Gateway Memory Leak CitrixBleed2 (CVE-2025-5777)
  • doublepulsar.com: CitrixBleed 2 exploitation started mid-June — how to spot it
  • horizon3.ai: CVE-2025-5777: CitrixBleed 2 Write-Up… Maybe?
  • The Register - Security: CitrixBleed 2 exploits are on the loose as security researchers yell and wave their hands
  • www.stormshield.com: Security alert Citrix NetScaler CVE-2025-5777: Stormshield Products Response
  • Stormshield: Security alert Citrix NetScaler CVE-2025-5777
  • techcrunch.com: CISA confirms hackers are actively exploiting critical Citrix Bleed 2 bug
  • Blog: CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks
  • Zack Whittaker: CISA has given the federal government just one day to patch its NetScaler systems, after confirming Citrix Bleed 2 is being actively exploited in hacking campaigns.
  • www.cybersecuritydive.com: Researchers, CISA confirm active exploitation of critical Citrix Netscaler flaw
  • www.imperva.com: CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks
  • The Register - Security: Now everybody but Citrix agrees that CitrixBleed 2 is under exploit
  • techcrunch.com: CISA warns hackers are actively exploiting critical ‘Citrix Bleed 2’ security flaw
  • The Hacker News: CISA adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
  • Help Net Security: CISA has added one new vulnerability to its Known Exploited Vulnerabilities catalog, based on evidence of active exploitation.
  • securityaffairs.com: U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
  • Talkback Resources: CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch

David Jones@cybersecuritydive.com //
The cybersecurity community is on high alert due to the active exploitation of a critical vulnerability in Citrix NetScaler devices, known as CitrixBleed 2 (CVE-2025-5777). This flaw allows attackers to perform dangerous memory leak attacks, potentially exposing sensitive user credentials and other confidential data. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially recognized the severity of this threat by adding it to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation. Federal agencies have been given a strict 24-hour deadline to patch affected systems, underscoring the urgency of the situation and the significant risk posed to government and enterprise networks.

CitrixBleed 2, which researchers have noted shares similarities with a previous critical vulnerability in Citrix NetScaler (CVE-2023-4966), enables attackers to bypass multi-factor authentication (MFA) and hijack user sessions. This memory leak vulnerability, stemming from insufficient input validation, allows unauthenticated attackers to read sensitive information from NetScaler devices configured as Gateways or AAA virtual servers. The exploitation of this flaw appears to have begun in late June, with reports indicating that some attackers may be linked to ransomware groups. The ease with which session tokens can be stolen and replayed to impersonate authenticated users presents a substantial threat to organizations relying on these Citrix products for remote access.

In response to the escalating threat, cybersecurity researchers have confirmed widespread scanning and probing activity for the vulnerability. The U.S. CISA's inclusion of CVE-2025-5777 on its Known Exploited Vulnerabilities list serves as a strong warning to all organizations to prioritize patching their Citrix NetScaler ADC and Gateway devices immediately. Failure to do so leaves networks vulnerable to sophisticated attacks that can lead to significant data breaches and operational disruptions. Organizations are strongly advised to apply the latest security patches and updates as soon as possible to mitigate the risks associated with this critical vulnerability.

Recommended read:
References :
  • The Register - Security: Now everybody but Citrix agrees that CitrixBleed 2 is under exploit
  • securityaffairs.com: U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
  • The Hacker News: CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
  • www.cybersecuritydive.com: Researchers, CISA confirm active exploitation of critical Citrix Netscaler flaw
  • Blog: CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks
  • techcrunch.com: CISA warns hackers are actively exploiting critical ‘Citrix Bleed 2’ security flaw
  • techcrunch.com: CISA warns hackers are actively exploiting critical ‘Citrix Bleed 2’ security flaw
  • www.imperva.com: CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks

@support.citrix.com //
Two high-severity vulnerabilities, identified as CVE-2025-5349 and CVE-2025-5777, have been discovered in Citrix NetScaler ADC and NetScaler Gateway products. According to a Citrix advisory released on June 17, 2025, these flaws pose a significant risk to organizations using the affected products. It is strongly recommended that users update their systems as soon as possible to mitigate potential exploits. These vulnerabilities affect NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, 13.1-FIPS and NDcPP before 13.1-37.235-FIPS and NDcPP, and 12.1-FIPS before 12.1-55.328-FIPS. Note that versions 12.1 and 13.0 are End Of Life (EOL) and are also vulnerable.

CVE-2025-5777, which has a CVSS score of 9.3, stems from insufficient input validation, leading to a memory overread. This vulnerability is only exploitable when NetScaler is configured as a Gateway, encompassing VPN virtual servers, ICA Proxy, CVPN, or RDP Proxy, or when configured as an AAA virtual server. CVE-2025-5349, with a CVSS score of 8.7, is attributed to improper access control on the NetScaler Management Interface. Exploitation of this vulnerability requires the attacker to have access to the NSIP address, the Cluster Management IP, or the local GSLB Site IP. The National Vulnerability Database provides additional detail on both CVE-2025-5349 and CVE-2025-5777.

To address these vulnerabilities, Citrix advises upgrading to the latest versions of NetScaler ADC and NetScaler Gateway. Additionally, after upgrading all NetScaler appliances in a high availability (HA) pair or cluster to the fixed builds, Citrix recommends executing the following commands to terminate all active ICA and PCoIP sessions: `kill icaconnection -all` and `kill pcoipConnection -all`. CERT-In has also issued an advisory regarding these vulnerabilities. Further information regarding the impact on businesses can be found on Cyberexpress.

Recommended read:
References :
  • thecyberexpress.com: Two High-Severity Flaws Found in NetScaler Products: CVE-2025-5349 and CVE-2025-5777
  • cert.europa.eu: CERT-In has issued an advisory regarding these vulnerabilities.
  • nvd.nist.gov: The National Vulnerability Database provides additional detail on CVE-2025-5349 and CVE-2025-5777.
  • Blog: How to find Citrix NetScaler ADC & Gateway instances on your network
  • doublepulsar.com: CitrixBleed 2: Electric Boogaloo — CVE-2025–5777
  • infosec.exchange: Critical Netscaler CVE-2025-5777 patch released!
  • www.helpnetsecurity.com: Critical Netscaler CVE-2025-5777 patch released! Like CtirixBleed this vulnerability allows attackers to grab valid session tokens from the memory of internet-facing devices by sending malformed request: