Don’t panic, but it’s only a matter of time before critical ‘CitrixBleed 2’ is under attack – Source: go.theregister.com

Citrix patched a critical vulnerability in its NetScaler ADC and NetScaler Gateway products that is already being compared to the infamous CitrixBleed flaw exploited by ransomware gangs and other cyber scum, although there haven’t been any reports of active exploitation. Yet.

Security analyst Kevin Beaumont dubbed the vulnerability “CitrixBleed 2.” As The Register‘s readers likely remember, that earlier flaw (CVE-2023-4966) allowed attackers to access a device’s memory, find session tokens, and then use those to impersonate an authenticated user while bypassing multi-factor authentication — which is also possible with this new bug.

The more recent out-of-bounds read flaw, tracked as CVE-2025-5777, received a 9.3 severity rating and affects the following builds, according to Citrix’s security bulletin:

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-43.56
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-58.32
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.235
• NetScaler ADC 12.1-FIPS before 12.1-55.328

Also, according to the vendor, NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0, which are end-of-life and won’t receive any software updates, are vulnerable and should be upgraded to supported versions.

Plus, Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are affected by the vulnerabilities. Citrix recommends upgrading these instances to the recommended NetScaler builds to address the flaws.

In-the-wild exploitation will happen at some point, and organizations should be dealing with this as an IT incident

The vulnerability, which can be exploited remotely and without any authentication, is due to insufficient input validation. It could allow an attacker to read session tokens or other sensitive information in memory from NetScaler devices that are configured as a Gateway (such as a VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

As Beaumont noted, this type of configuration to allow remote access is “an extremely common setup in large organizations.” 

Affected customers should install the relevant updated versions as soon as possible, and Citrix “strongly recommends executing the following commands” after deploying the fixed versions across High Availability (HA) pairs and cluster nodes:

“Executing these commands will ensure killing all active ICA and PCoIP sessions,” the vendor explained, noting that “rebooting appliances instead of firing these commands isn’t recommended.”

Remember CitrixBleed?

CitrixBleed was widely exploited by at least two ransomware groups. One of the victims, Seattle’s Fred Hutchinson Cancer Center, late last month agreed to fork out around $52.5 million as part of a class action settlement after extortionists exploited the original CitrixBleed, stole the personal and health-related data of millions of people, and then directly threatened cancer patients with SWAT attacks.

Citrix did not immediately respond to The Register‘s inquiries, including whether CVE-2025-5777 has been exploited in the wild. But according to Beaumont and others, the bug isn’t under attack just yet.

Spoiler alert: it likely will be soon.

• ‘Mass exploitation’ of Citrix Bleed underway as ransomware crews pile in
• US medical org pays $50M+ to settle case after crims raided data and threatened to swat cancer patients
• BlackCat claims it is behind Fidelity National Financial ransomware shakedown
• Veeam patches third critical RCE bug in Backup & Replication in space of a year

Another interesting detail that Beaumont and others pointed out: some of the details in the National Vulnerability Database CVE description have quietly changed since its initial disclosure.

As watchTowr CEO Benjamin Harris told The Register, “Fairly important prerequisites or limitations being removed from the NVD CVE description — specifically, the comment that this vulnerability was in the lesser-exposed Management Interface has now been removed — [lead] us to believe that this vulnerability is significantly more painful than perhaps first signaled.”

This security hole is “shaping up to be every bit as serious as CitrixBleed,” he said, noting that while watchTowr hasn’t seen any exploitation to date, “this vulnerability checks all the boxes for inevitable attacker interest.”

“In-the-wild exploitation will happen at some point, and organizations should be dealing with this as an IT incident — exploitation is not a matter of if, but when,” Harris added. “Patch now. This vulnerability is likely to be in your KEV feeds soon.” ®