Over 1,200 Citrix NetScaler ADC and NetScaler Gateway appliances exposed online are unpatched against a critical vulnerability believed to be actively exploited, allowing threat actors to bypass authentication by hijacking user sessions.
Tracked as CVE-2025-5777 and referred to as Citrix Bleed 2, this out-of-bounds memory read vulnerability results from insufficient input validation, enabling unauthenticated attackers to access restricted memory regions.
A similar Citrix security flaw, dubbed "CitrixBleed," was exploited in ransomware attacks and breaches targeting governments in 2023 to hack NetScaler devices and move laterally across compromised networks.
Successfully exploiting CVE-2025-5777 could allow threat actors to steal session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers, enabling them to hijack user sessions and bypass multi-factor authentication (MFA).
In a June 17 advisory, Citrix warned customers to terminate all active ICA and PCoIP sessions after upgrading all their NetScaler appliances to a patched version to block potential attacks.
On Monday, security analysts from the internet security nonprofit Shadowserver Foundation have discovered over the weekend that 2,100 appliances were still vulnerable to CVE-2025-5777 attacks.
Unpatched NetScaler appliances exposed online (Shadowserver)
While Citrix has yet to confirm that this security flaw is being exploited in the wild, saying that "currently, there is no evidence to suggest exploitation of CVE-2025-5777," cybersecurity firm ReliaQuest reported on Thursday with medium confidence that the vulnerability is already being abused in targeted attacks.
"While no public exploitation of CVE-2025-5777, dubbed 'Citrix Bleed 2,' has been reported, ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments," ReliaQuest warned.
ReliaQuest identified indicators suggesting post-exploitation activity following unauthorized Citrix access, including a hijacked Citrix web session indicating a successful MFA bypass attempt, session reuse across multiple IP addresses (including suspicious ones), and LDAP queries linked to Active Directory reconnaissance activities.
... continue reading