A important NetScaler ADC and Gateway vulnerability dubbed “Citrix Bleed 2” (CVE-2025-5777) is now possible exploited in assaults, in accordance with cybersecurity agency ReliaQuest, seeing a rise in suspicious classes on Citrix gadgets.
Citrix Bleed 2, named by cybersecurity researcher Kevin Beaumont resulting from its similarity to the unique Citrix Bleed (CVE-2023-4966), is an out-of-bounds reminiscence learn vulnerability that enables unauthenticated attackers to entry parts of reminiscence that ought to usually be inaccessible.
This might enable attackers to steal session tokens, credentials, and different delicate knowledge from public-facing gateways and digital servers, enabling them to hijack person classes and bypass multi-factor authentication (MFA).
Citrix’s advisor additionally confirms this threat, warning customers to finish all ICA and PCoIP classes after putting in safety updates to dam entry to any hijacked classes.
The flaw, tracked as CVE-2025-5777, was addressed by Citrix on June 17, 2025, with no experiences of lively exploitation. Nonetheless, Beaumont warned in regards to the excessive chance of exploitation earlier this week.
The researcher’s worries now appear justified, as ReliaQuest says with medium confidence that CVE-2025-5777 is already being leveraged in focused assaults.
“Whereas no public exploitation of CVE-2025-5777, dubbed “Citrix Bleed 2,” has been reported, ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to realize preliminary entry to focused environments,” warns ReliaQuest.
This conclusion relies on the next observations from precise assaults seen lately:
- Hijacked Citrix internet classes had been noticed the place authentication was granted with out person interplay, indicating attackers bypassed MFA utilizing stolen session tokens.
- Attackers reused the identical Citrix session throughout each authentic and suspicious IP addresses, suggesting session hijacking and replay from unauthorized sources.
- LDAP queries had been initiated post-access, displaying that attackers carried out Energetic Listing reconnaissance to map customers, teams, and permissions.
- A number of cases of ADExplorer64.exe ran throughout methods, indicating coordinated area reconnaissance and connection makes an attempt to numerous area controllers.
- Citrix classes originated from knowledge heart IPs related to client VPN suppliers like DataCamp, suggesting attacker obfuscation through anonymized infrastructure.
The above is per post-exploitation exercise following unauthorized Citrix entry, reinforcing the evaluation that CVE-2025-5777 is being exploited within the wild.
To guard in opposition to this exercise, probably impacted customers ought to improve to variations 14.1-43.56+, 13.1-58.32+, or 13.1-FIPS/NDcPP 13.1-37.235+ to remediate the vulnerability.
After putting in the newest firmware, admins ought to terminate all lively ICA and PCoIP classes, as they could have already been hijacked.
Earlier than killing lively classes, admins ought to first evaluation them for suspicious exercise utilizing the present icaconnection command and  NetScaler Gateway > PCoIP > Connections.
After reviewing the lively classes, admins can then terminate them utilizing these instructions:
kill icaconnection -all
kill pcoipconnection -all
If the speedy set up of safety updates is unattainable, it’s endorsed that exterior entry to NetScaler be restricted through community ACLs or firewall guidelines.
BleepingComputer contacted Citrix a number of instances in regards to the exploitation standing of CVE-2025-5777 however has not obtained any replies.
Patching used to imply advanced scripts, lengthy hours, and limitless fireplace drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch quicker, cut back overhead, and deal with strategic work — no advanced scripts required.
