Over 3,300 Citrix NetScaler devices remain unpatched against a critical vulnerability that allows attackers to bypass authentication by hijacking user sessions, nearly two months after patches were released.
Tracked as CVE-2025-5777 and referred to as CitrixBleed 2, this out-of-bounds memory read vulnerability results from insufficient input validation, enabling unauthenticated attackers to access restricted memory regions remotely on devices configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
Successfully exploiting this security flaw could enable threat actors to steal session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers, allowing them to hijack user sessions and bypass multi-factor authentication (MFA).
Proof-of-concept (PoC) exploits targeting CVE-2025-5777 were released less than two weeks after the flaw was disclosed, while active exploitation in zero-day attacks was detected weeks before the release of these PoC exploits.
A similar Citrix security flaw, known as "CitrixBleed," was exploited two years ago to hack NetScaler devices and move laterally across compromised networks in ransomware attacks and breaches targeting government entities.
On Monday, security analysts from the internet security nonprofit Shadowserver Foundation reported that 3,312 Citrix NetScaler appliances were still vulnerable to ongoing CVE-2025-5777 attacks.
Shadowserver also spotted 4,142 such devices left unpatched against another critical vulnerability (CVE-2025-6543), which Citrix has tagged as actively exploited in denial-of-service (DoS) attacks.
Citrix NetScaler unpatched devices (Shadowserver)
While Citrix states that CVE-2025-6543 is a memory overflow vulnerability that can lead to unintended control flow and denial of service, the Netherlands' National Cyber Security Centre (NCSC) warned on Monday that attackers have exploited this flaw as a zero-day since at least early May to breach multiple critical organizations in the country.
"The NCSC has determined that multiple critical organizations in the Netherlands have been successfully attacked via a vulnerability identified as CVE-2025-6543 in Citrix NetScaler," the NCSC said..
... continue reading