A critical Citrix NetScaler vulnerability, tracked as CVE-2025-5777 and dubbed "CitrixBleed 2," was actively exploited nearly two weeks before proof-of-concept (PoC) exploits were made public, despite Citrix stating that there was no evidence of attacks.
GreyNoise has confirmed its honeypots detected targeted exploitation from IP addresses located in China on June 23, 2025.
"GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept (PoC) was released on July 4," explains GreyNoise.
"We created a tag on July 7 to track this activity. Because GreyNoise retroactively associates pre-tag traffic with new tags, prior exploitation attempts are now visible in the GreyNoise Visualizer."
GreyNoise graph showing unique IPs targeting Citrix Bleed 2
Source: BleepingComputer
GreyNoise confirmed to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on July 9 that the flaw was actively exploited, causing the cyber agency to add it to its Known Exploited Vulnerabilities (KEV) catalog and giving federal agencies one day to patch the flaw.
Despite these early signs and repeated warnings from security researcher Kevin Beaumont, Citrix had still not acknowledged active exploitation in its security advisory for CVE-2025-5777. It only quietly updated its June 26 blog post on July 11, after it appeared in the KEV database the day before.
Citrix finally released another blog post on July 15 on how to evaluate NetScaler logs for indicators of compromise.
However, even with this, the company has been under fire for not being transparent and sharing IOCs that researchers have told BleepingComputer were previously shared with the company.
... continue reading