Critical Citrix Netscaler "Citrix Bleed 2" flaw actively exploited
Take action: This is now important and URGENT. Your Citrix NetScaler ADC or Gateway, exposed on the internet, they are actively attacked and exploited. After patching, you must terminate all active ICA and PCoIP sessions since they may already be compromised by attackers.
Learn More
A critical vulnerability affecting Citrix NetScaler devices, dubbed "Citrix Bleed 2", is now being actively exploited by threat actors, according to cybersecurity firm ReliaQuest.
Researchers are concerned that this exploit can be a repeat of the 2023 exploitation campaign of the original "Citrix Bleed" vulnerability, which was exploited by major ransomware groups and resulted in high-profile attacks against Boeing and Comcast's Xfinity service affecting 36 million customers.
The exploited vulnerability is tracked as CVE-2025-5777 (CVSS score 9.3) - an out-of-bounds memory read flaw caused by insufficient input validation that allows unauthenticated attackers to access portions of memory that should typically be inaccessible. This enables attackers to steal session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers, allowing them to hijack user sessions and bypass multi-factor authentication (MFA).
ReliaQuest has assessed with medium confidence that CVE-2025-5777 is being actively exploited in targeted attacks, despite Citrix's initial statement that no exploitation had been observed. After a successful exploit, attackers run LDAP queries to perform Active Directory reconnaissance and map users, groups, and permissions.
Three vulnerabilities are currently reported to affect Citrix NetScaler:
- CVE-2025-5777 - Insufficient input validation leading to memory overread - now reported as actively exploited
- CVE-2025-6543 - Memory overflow vulnerability causing denial of service - already reported as actively exploited
- CVE-2025-5349 - Improper access control on NetScaler Management Interface
The affected systems include NetScaler ADC and Gateway devices configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual servers - configurations commonly used for remote access services. Over 56,000 Citrix NetScaler services are currently discoverable on Shodan
Affected versions include NetScaler ADC and Gateway 14.1 prior to 14.1-43.56, NetScaler ADC and Gateway 13.1 prior to 13.1-58.32, and NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.235.
Organizations must upgrade to the patched versions and, terminate all active ICA and PCoIP sessions after upgrading, as they may have already been compromised.
Update - as of 4th of July 2025, Watchtowr Labs have published a PoC exploit of the CitrixBleed flaw
As of 10th of July 2025, CISA confirmed that CVE-2025-5777, dubbed CitrixBleed 2 is under active exploitation. Security analysts from Shadowserver Foundation report that 3,312 Citrix NetScaler appliances are still vulnerable to CVE-2025-5777 attacks. Shadowserver also reports that 4,142 devices are not patched against CVE-2025-6543. Apparently the CVE-2025-6543 was exploited as zero-day for nearly two months before being patched.
