CVE-2025-5777 (CitrixBleed 2) Exposes NetScaler Gateway Devices to Remote Exploitation

[Update] July 8, 2025: “PoC and Technical Details Released for CVE-2025-5777” 

[Update] July 3, 2025: “Update on Post-Patch Issues with Citrix NetScaler Appliances”

[Update] June 30, 2025: “Emerging Evidence of Exploitation for Citrix Bleed 2” 

[Update] June 26, 2025: “CVE-2025-6543: Critical Citrix DoS Vulnerability Actively Exploited”

A new critical vulnerability in Citrix’s NetScaler ADC and NetScaler Gateway platforms is prompting serious concern. Tracked as CVE-2025-5777, this flaw is being referred to as “CitrixBleed 2,” a direct nod to the widely exploited CVE-2023-4966, which led to severe breaches last year.

While no active exploitation has been reported yet, security experts are sounding the alarm due to the vulnerability’s dangerous traits and high likelihood of being abused.

What is CVE-2025-5777?

CVE-2025-5777 is a critical out-of-bounds read vulnerability in Citrix’s NetScaler ADC and Gateway products.

Scoring a 9.3 on the CVSS v4.0 scale, the bug stems from insufficient input validation and allows unauthenticated attackers to remotely read sensitive memory content from vulnerable devices. This includes session tokens, which can potentially be reused to hijack sessions and bypass Multi-Factor Authentication (MFA). This tactic was previously exploited in the original CitrixBleed incident.

The flaw impacts systems configured as Gateway or AAA virtual servers – configurations commonly used for remote access (VPN, RDP, CVPN, ICA Proxy).

Which Citrix Products/Versions Are Affected by CVE-2025-5777?

In the advisory, Citrix warns that affected devices include:

• NetScaler ADC and Gateway 14.1 prior to 14.1-43.56
• NetScaler ADC and Gateway 13.1 prior to 13.1-58.32
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP prior to 13.1-37.235
• NetScaler ADC 12.1-FIPS prior to 12.1-55.328

Versions 12.1 and 13.0 are End-of-Life (EOL) and will not receive fixes, requiring an upgrade to a supported release.

Why Is This Vulnerability So Alarming?

CVE-2025-5777 is especially concerning given its resemblance to CVE-2023-4966, which was exploited by ransomware groups to inflict widespread damage. Security researcher Kevin Beaumont was quick to dub the new issue “CitrixBleed 2” after observing its potential to allow session hijacking and MFA bypass via token theft, all without any need for authentication.

Adding to the concern, Citrix initially described the issue as limited to the management interface. That description has since been revised, removing restrictions and indicating a broader impact.

How Can Attackers Exploit It?

The attack vector for CVE-2025-5777 is straightforward: an attacker sends specially crafted requests to a vulnerable NetScaler Gateway or AAA virtual server. If successful, the server returns fragments of memory, which could contain valid session tokens. These tokens can then be replayed to impersonate legitimate users.

Beaumont highlighted how prevalent this setup is in enterprise environments. Using tools like Shodan, thousands of internet-exposed NetScaler systems can be discovered, making them attractive targets for adversaries looking to exploit weak spots in remote access infrastructure.

Emerging Evidence of Exploitation for Citrix Bleed 2

Recent analysis by a cybersecurity firm suggests that the critical Citrix vulnerability known as Citrix Bleed 2 (CVE-2025-5777) is likely being exploited in real-world attacks.

While Citrix’s official article as of June 26, 2025, states that no confirmed exploitations have been detected, ReliaQuest’s blog published on the same day suggests otherwise, assigning medium confidence to their findings of active exploitation.

The researchers uncovered several indicators of unauthorized access through Citrix devices:

• Attackers hijacked Citrix web sessions, bypassing MFA by using stolen session tokens, and reused these sessions across both expected and suspicious IP addresses, suggesting session hijacking from unknown sources.
• The attackers conducted extensive Active Directory reconnaissance, as evidenced by LDAP queries and multiple instances of the ADExplorer64.exe tool querying domain groups and permissions across various domain controllers.
• Furthermore, the presence of Citrix sessions originating from data center IPs linked to consumer VPN services like DataCamp indicates deliberate efforts to conceal attacker identity and location.

Together, these behaviors strongly indicate that threat actors are exploiting CVE-2025-5777 to gain initial access and conduct post-compromise operations in targeted networks.

Organizations should treat this as an urgent security issue. Waiting for confirmed attacks could mean reacting too late. Patch deployment and session invalidation should be prioritized immediately to mitigate the risk of data breaches, operational disruption, or potential legal fallout similar to past incidents linked to similar flaws.

Knowing what assets you expose online is key to reducing your risk. SOCRadar’s Attack Surface Management (ASM) continuously scans your external environment to discover internet-facing systems and services that could be vulnerable.

With real-time alerts and detailed visibility, you can quickly identify and secure weak points before attackers find them.

PoC and Technical Details Released for CVE-2025-5777

Recent research has produced Proof-of-Concept (PoC) exploits demonstrating the practical impact of the CVE-2025-5777 vulnerability in Citrix NetScaler appliances.

Security researchers have analyzed the flaw and showed how manipulating a malformed login request, specifically by removing the equal sign or value from the login= parameter, triggers the device to leak portions of its memory.

This vulnerability stems from the way the NetScaler uses the snprintf function with a %.*s format specifier, which instructs the system to output memory content up to a certain length or until a null byte is reached. Each crafted request causes the system to reveal around 127 bytes of memory, enabling attackers to repeatedly send requests and harvest sensitive data such as session tokens.

While initial attempts by watchTowr did not achieve full exploitation, Horizon3 successfully demonstrated extracting user session tokens through this method. Moreover, the vulnerability affects not only NetScaler endpoints but also extends to administrative configuration utilities, expanding the attack surface.

What Should Organizations Do Now?

While Citrix has not reported any active exploitation, the parallels to past incidents have experts urging immediate action. Organizations running affected NetScaler versions should:

1. Upgrade Immediately: Patch systems to the following fixed builds or later:

• NetScaler ADC and Gateway 14.1-43.56
• NetScaler ADC and Gateway 13.1-58.32
• NetScaler ADC 13.1-FIPS/NDcPP 13.1-37.235
• NetScaler ADC 12.1-FIPS 12.1-55.328

2. Terminate Active Sessions: After applying patches, Citrix recommends executing the following commands across all appliances in high-availability pairs or clusters:

• kill icaconnection -all
• kill pcoipConnection -all

These commands ensure any session tokens potentially exposed before the patch are invalidated. A reboot alone is not advised.

3. Audit Exposure: Use tools like Shodan to identify exposed systems using queries such as:

• org:YourOrg http.favicon.hash:-1292923998,-1166125415
• ssl:YourOrg html:Citrix

4. Plan Upgrades for EOL Versions: Devices running EOL versions (12.1 and 13.0) will not receive patches. These systems must be upgraded to supported builds to eliminate exposure.

CVE-2025-6543: Critical Citrix DoS Vulnerability Actively Exploited

In addition to memory exposure concerns, Citrix has addressed another critical vulnerability identified as CVE-2025-6543 (CVSSv4 9.2), which is actively being exploited in the wild.

CVE-2025-6543 affects NetScaler ADC and Gateway appliances and can be triggered remotely without authentication, causing the affected devices to experience Denial of Service (DoS) by going offline.

The vulnerability specifically impacts NetScaler devices configured as Gateway or AAA virtual servers – common setups used for VPN, RDP proxy, and other remote access services. Citrix has released patches for affected versions including 14.1-47.46, 13.1-59.19, and updates for FIPS and NDcPP builds.

Given the active exploitation and potential impact on network availability, organizations using NetScaler appliances in these configurations should prioritize applying the latest updates immediately.

For more details, see Citrix’s official advisory here.

Update on Post-Patch Issues with Citrix NetScaler Appliances

Citrix has issued a cautionary update for administrators applying patches for CVE-2025-5777 and CVE-2025-6543.

Starting with NetScaler builds 14.1.47.46 and 13.1.59.19, a Content Security Policy (CSP) header designed to enhance browser security is enabled by default. While this policy helps prevent Cross-Site Scripting (XSS) and code injection attacks, it may unintentionally block legitimate scripts essential for certain authentication workflows.

Users leveraging DUO with Radius, custom SAML configurations, or other Identity Provider (IDP) integrations could experience broken login pages following the upgrade. To mitigate this, Citrix recommends temporarily disabling the CSP header on affected appliances and clearing browser caches. Administrators should then verify the functionality of their authentication portals.

If problems persist after these steps, Citrix advises contacting their support team with detailed configuration information to facilitate a resolution.

For more information, see the Citrix advisory.

Managing vulnerabilities efficiently requires timely and actionable information. SOCRadar Vulnerability Intelligence, offered under the Cyber Threat Intelligence module, provides up-to-date alerts on new flaws and tracks active exploit trends worldwide. Integrated with threat intelligence, it helps you prioritize patching efforts and respond faster to the most critical risks.