The U.S. Cybersecurity & Infrastructure Security Agency has confirmed active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway and is giving federal agencies one day to apply fixes.
Such a short deadline for installing the patches is unprecedented since CISA released the Known Exploited Vulnerabilities (KEV) catalog, showing the severity of the attacks exploiting the security issue.
The agency added the flaw to its Known Exploited Vulnerabilities (KEV) catalog yesterday, ordering federal agencies to implement mitigations by the end of today, June 11.
CVE-2025-5777 is a critical memory safety vulnerability (out-of-bounds memory read) that gives an unauthenticated attacker access to restricted parts of the memory.
The issue impacts NetScaler devices that are configured as a Gateway or an AAA virtual server, in versions prior to 14.1-43.56, 13.1-58.32, 13.1-37.235-FIPS/NDcPP, and 2.1-55.328-FIPS.
Citrix addressed the vulnerability through updates released on June 17.
A week later, security researcher Kevin Beaumont warned in a blog post about the flaw's potential for exploitation, its severity and repercussions if left unpatched.
Beaumont called the flaw 'CitrixBleed 2' due to similarities with the infamous CitrixBleed vulnerability (CVE-2023-4966), which was extensively exploited in the wild by all types of cybercriminal actors.
The first warning of CitrixBleed 2 being exploited came from ReliaQuest on June 27. On July 7, security researchers at watchTowr and Horizon3 published proof-of-concept exploits (PoCs) for CVE-2025-5777, demonstrating how the flaw can be leveraged in attacks that steal user session tokens.
At the time, signs of definitive active exploitation in the wild remained elusive, but with the availability of PoCs and ease of exploitation, it was only a matter of time until attackers started to leverage it at a larger scale.
... continue reading