Jul 7, 2025

Administrators of Citrix Netscaler devices should immediately patch their devices to fix two actively exploited vulnerabilities. One, dubbed Citrix Bleed 2, can be abused by hackers to bypass multifactor authentication, hijack user sessions and gain unauthorized access to the equipment. The vulnerabilities are present in customer-managed NetScaler ADC, formerly Citrix ADC and NetScaler Gateway, formerly Citrix Gateway devices that customers manage themselves. Citrix on June 17 released a patch to fix a critical vulnerability in NetScaler ADC and NetScaler Gateway 14.1, 13.1 and NetScaler ADC 13.1-FIPS and NDcPP," tracked as CVE-2025-5777 , with a CVSS score of 9.2. After patching, Citrix said administrators must terminate all active ICA and PCoIP sessions. The company said "NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now end of life and are vulnerable" and will not be patched. The company recommends customers "upgrade their appliances to one of the supported versions that address the vulnerabilities." As of Saturday, British cybersecurity expert Kevin Beaumont said in a post to social platform Mastodon that his scans have counted over 18,000 Citrix systems connected to the internet, of which about one quarter appear to remain unpatched against CVE-2025-5777. He's dubbed the vulnerability Citrix Bleed 2, given the similarities in how the new vulnerability mirrored the original Citrix Bleed, tracked as CVE-2023–4966 (see: Amid Citrix Bleed Exploits, NetScaler Warns: Kill Sessions "The vulnerability allows an attacker to read memory from the Netscaler when configured as a Gateway or AAA virtual server - think remote access via Citrix, RDP, etc.," Beaumont said in a June 24 blog post. "It's an extremely common setup in large organization." On June 25, Citrix released a patch for another flaw, CVE-2025-6543, with a CVSS score of 9.3, that it said also requires immediate patching. The flaw is a zero-day vulnerability that was already being exploited before Citrix issued its security alert and patch. "While both of the vulnerabilities involve the same modules, the exposures differ," Citrix said in a June 26 blog post. "CVE 2025-6543, if exploited, could lead to a memory overflow vulnerability, resulting in unintended control flow and denial of service. CVE 2025-5777 arises from insufficient input validation that leads to memory over-read." On June 26, ReliaQuest reported "with medium confidence" that attackers had begun exploiting CVE-2025-5777 to gain initial access, by using the flaw to hijack a web session from a NetScaler device and authenticate without a user being aware, in what amounted to a multifactor authentication bypass. Security experts said the Citrix Bleed 2 nickname assigned to CVE-2025-5777 reflects how the vulnerability can be abused, rather than who might have first discovered it. "Like its forerunner, Citrix Bleed 2 enables attackers to extract authentication data from memory - this time using out-of-bounds memory reads to steal tokens," ReliaQuest said. "These tokens allow attackers to bypass MFA and hijack user sessions, granting unauthorized access to sensitive systems." Security experts said attacks may leave digital forensic traces. "Depending on logging configurations, log entries in ns.log with non-printable characters are a pretty good indicator that something is amiss," said pen testing firm Horizon3.ai in a post to social platform X. The Citrix Bleed 2 vulnerability boils down to: "If you call the login page, it leaks memory in the response," Beaumont said. "I don't want to specify too much extra technical info on this yet - but if you keep leaking the memory via requests, there's a way to reestablish existing ICA sessions from the leaked memory." Attack surface management firm watchTowr on Monday published further details tied to the flaw, to help organizations identify if they're present, but said it was currently stopping short of publishing a full proof-of-concept exploit, so as to not help more attackers exploit the flaws. "CitrixBleed is infamous both because it was a serious vulnerability that allowed the disclosure of memory and subsequent remote access session hijacking and because, two years later, we are still reeling from the aftermath of the prolific exploitation this vulnerability received," watchTowr said (see: Comcast Ties Breach Affecting 36M Customers to Citrix Bleed Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.