CitrixBleed 2 Vulnerability Already Being Exploited in Attacks

CitrixBleed 2 Vulnerability Already Being Exploited in Attacks

Security experts at ReliaQuest have confirmed that CitrixBleed 2 (CVE-2025-5777)—a critical vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway—is already being exploited in the wild. Researchers report a sharp increase in suspicious activity targeting Citrix devices.

The newly identified vulnerability, dubbed CitrixBleed 2 due to its similarity to the infamous 2023 exploit, allows attackers to hijack authentication session cookies on vulnerable systems—just like its predecessor. The bug, an out-of-bounds read flaw, impacts NetScaler devices configured as gateways, including:

• VPN virtual servers
• ICA Proxy
• Clientless VPN (CVPN)
• RDP Proxy
• AAA virtual servers

Cybersecurity expert Kevin Beaumont, who originally named the first CitrixBleed bug, was also the first to flag this new threat. He notes that CVE-2025-5777 shares a similar risk profile: it enables the theft of session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers. These tokens can then be used to bypass multi-factor authentication (MFA) and hijack sessions without detection.

“CitrixBleed 2 is functionally very similar to the 2023 vulnerability,” Beaumont explained. “It allows attackers to steal session tokens and impersonate users—even those protected by MFA.”

Exploitation Already Underway

While public proof-of-concept code has yet to emerge, ReliaQuest reports evidence that attackers are already leveraging CVE-2025-5777 to gain initial access to targeted environments:

“ReliaQuest assesses with moderate confidence that threat actors are actively leveraging this vulnerability,” the firm stated, citing patterns consistent with prior CitrixBleed attacks.

Among their findings:

• Hijacked Citrix web sessions showed successful logins without user interaction, indicating MFA bypass via stolen session tokens.
• Session reuse was detected from both legitimate and suspicious IPs, confirming hijacking.
• Post-compromise activity included LDAP queries against Active Directory to enumerate users, groups, and permissions.
• Tools like ADExplorer64.exe were launched across multiple systems, pointing to coordinated reconnaissance.
• Malicious Citrix sessions originated from data center IPs tied to VPN providers such as DataCamp, signaling attackers were masking their infrastructure.

Citrix Urges Immediate Action

Citrix has released patches and issued an urgent advisory for all affected customers. In addition to applying the updates, administrators are strongly encouraged to terminate all active sessions—especially ICA and PCoIP sessions—to prevent stolen credentials from being reused.

This mirrors the same guidance Citrix issued during the original CitrixBleed (CVE-2023-4966) crisis, where session termination was key to containing the breach.

Recommended Patched Versions

To mitigate the risk, organizations should immediately update to one of the following fixed versions:

• 14.1-43.56+
• 13.1-58.32+
• 13.1-FIPS/NDcPP 13.1-37.235+

Failing to patch and terminate sessions could leave organizations exposed to sophisticated, persistent threats already exploiting this vulnerability in active campaigns.