CitrixBleed 2 Vulnerability Exploited, Recalling Earlier CitrixBleed Fallout – Source: www.infosecurity-magazine.com

A new critical vulnerability in Citrix NetScaler ADC and Gateway devices, bearing similarities to the notorious CitrixBleed flaw of 2023, is reportedly being exploited in the wild.

Dubbed CitrixBleed 2, this out-of-bounds read could allow attackers to bypass authentication mechanisms, including multifactor authentication (MFA), and hijack user sessions.

The flaw, officially tracked as CVE-2025-5777, was disclosed by Citrix on June 17 alongside CVE-2025-5349, an access control issue. The former has a severity score (CVSS) of 9.3 and the latter 8.7.

Both affect Citrix NetScaler ADC and Gateway devices, with CVE-2025-5777 impacting versions from 14.1 and before 47.46 and from 13.1 and before 59.19 and CVE-2025-5349 impacting versions from 14.1 and before 43.56 and from 13.1 and before 58.32.

On June 25, independent security researcher Kevin Beaumont said that CVE-2025-5777 was reminiscent of CitrixBleed, a Citrix vulnerability disclosed in 2023 (tracked as CVE-2023-4966) that has been extensively exploited by threat actors, including ransomware and state-sponsored groups. Therefore, Beaumont named the new vulnerability ‘CitrixBleed 2.’

On June 26, ReliaQuest published a report in which it claimed “with medium confidence” that attackers are actively exploiting CVE-2025-5777 to gain initial access to targeted environments.

The indicators leading to this conclusion included:

• Hijacked Citrix web session from the NetScaler device. Authentication was granted without user knowledge, indicating MFA bypass
• Session reuse across multiple IPs, including combinations of expected and suspicious IPs
• LDAP queries associated with Active Directory reconnaissance activities
• Multiple instances of the “ADExplorer64.exe” tool across the environment, querying domain-level groups and permissions and connecting to multiple domain controllers
• Citrix sessions originating from data-center-hosting IP addresses, such as those associated with DataCamp, suggesting the use of consumer VPN services

According to ReliaQuest, while CitrixBleed 2 mirrors the original CitrixBleed in its ability to bypass authentication and facilitate session hijacking, this new flaw introduces new risks by targeting session tokens instead of session cookies.

“Unlike session cookies, which are often tied to short-lived browser sessions, session tokens are typically used in broader authentication frameworks, such as API calls or persistent application sessions,” the ReliaQuest researchers wrote.

Additionally, Citrix disclosed a third vulnerability affecting NetScaler ADC and Gateway devices on June 25.

This flaw, tracked as CVE-2025-6543, is a memory overflow vulnerability that leads to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. It has a severity score (CVSS) of 9.2, affects the same versions as CVE-2025-5777 and has reportedly been actively exploited.