A critical NetScaler ADC and Gateway vulnerability dubbed "Citrix Bleed 2" (CVE-2025-5777) is now likely exploited in attacks, according to cybersecurity firm ReliaQuest, seeing an increase in suspicious sessions on Citrix devices.
Citrix Bleed 2, named by cybersecurity researcher Kevin Beaumont due to its similarity to the original Citrix Bleed (CVE-2023-4966), is an out-of-bounds memory read vulnerability that allows unauthenticated attackers to access portions of memory that should typically be inaccessible.
This could allow attackers to steal session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers, enabling them to hijack user sessions and bypass multi-factor authentication (MFA).
Citrix's advisor also confirms this risk, warning users to end all ICA and PCoIP sessions after installing security updates to block access to any hijacked sessions.
The flaw, tracked as CVE-2025-5777, was addressed by Citrix on June 17, 2025, with no reports of active exploitation. However, Beaumont warned about the high likelihood of exploitation earlier this week.
The researcher's worries now seem justified, as ReliaQuest says with medium confidence that CVE-2025-5777 is already being leveraged in targeted attacks.
"While no public exploitation of CVE-2025-5777, dubbed "Citrix Bleed 2," has been reported, ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments," warns ReliaQuest.
This conclusion is based on the following observations from actual attacks seen recently:
Hijacked Citrix web sessions were observed where authentication was granted without user interaction, indicating attackers bypassed MFA using stolen session tokens.
Attackers reused the same Citrix session across both legitimate and suspicious IP addresses, suggesting session hijacking and replay from unauthorized sources.
... continue reading