Exploitation of CitrixBleed 2 Vulnerability

Publish date: 27.06.2025

Blog

27.06.2025

A critical vulnerability has been identified in Citrix NetScaler ADC and Gateway devices, echoing the notorious CitrixBleed flaw from 2023. This newly discovered issue, referred to as CitrixBleed 2, represents an out-of-bounds read vulnerability that can potentially enable attackers to bypass authentication protocols, including multifactor authentication (MFA), and gain unauthorized access to user sessions.

Tracked under CVE-2025-5777, this flaw was disclosed by Citrix on June 17, alongside another vulnerability, CVE-2025-5349, which pertains to access control. The severity of CVE-2025-5777 is evaluated at 9.3 on the Common Vulnerability Scoring System (CVSS), while CVE-2025-5349 has a score of 8.7.

Both vulnerabilities impact Citrix NetScaler ADC and Gateway devices, with CVE-2025-5777 affecting versions 14.1 and earlier than 47.46, and 13.1 and earlier than 59.19. CVE-2025-5349 affects versions 14.1 and earlier than 43.56, and those in the 13.1 series down to version 58.32.

Independent security researcher Kevin Beaumont highlighted the similarities between CVE-2025-5777 and the earlier CitrixBleed vulnerability (CVE-2023-4966), which had been widely leveraged by cybercriminals, including ransomware and state-sponsored groups. Beaumont coined the term “CitrixBleed 2” to describe the new vulnerability, emphasizing its critical nature.

On June 26, cybersecurity firm ReliaQuest released a report indicating a “medium confidence” that CVE-2025-5777 was already being actively exploited in the wild to gain unauthorized access to targeted environments. The report identified several key indicators of exploitation:

Evidence of hijacked Citrix web sessions from the NetScaler device, suggesting MFA bypass without user awareness.
Session reuse activity across various IP addresses, including both expected and suspicious origins.
LDAP queries correlating with Active Directory reconnaissance activities.
Multiple instances of the “ADExplorer64.exe” tool, which was utilized for querying domain-level groups and permissions, in conjunction with connecting to various domain controllers.
Citrix session activations seemingly originating from data-center-hosting IP addresses, indicative of consumer VPN service usage.

ReliaQuest asserted that while CitrixBleed 2 shares the capability to circumvent authentication and enable session hijacking similar to the original CitrixBleed, it introduces additional risks by exploiting session tokens rather than traditional session cookies. Session tokens are typically associated with broader authentication frameworks such as API calls or persistent application sessions, adding a layer of complexity to the potential exploit scenarios.

Furthermore, on June 25, Citrix disclosed an additional vulnerability designated CVE-2025-6543. This memory overflow vulnerability poses a critical risk, resulting in unintended control flow and Denial of Service in NetScaler ADC and Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. This vulnerability boasts a severity score of 9.2 and affects the same versions as CVE-2025-5777, with reports suggesting active exploitation.