Exploitation of Citrix Bleed 2 Vulnerability Confirmed in Ongoing Cyber Attacks
A critical vulnerability identified in the NetScaler ADC and Gateway, referred to as “Citrix Bleed 2” (CVE-2025-5777), is currently believed to be exploited in attacks. Reports from cybersecurity firm ReliaQuest indicate a notable increase in suspicious activity involving Citrix devices.
Citrix Bleed 2, named by researcher Kevin Beaumont for its resemblance to an earlier vulnerability, CVE-2023-4966, involves an out-of-bounds memory read flaw that permits unauthorized attackers to access restricted memory segments. This exploitation could facilitate the theft of session tokens, credentials, and other sensitive data, thereby enabling attackers to hijack user sessions and evade multi-factor authentication (MFA).
Citrix’s advisory emphasizes the importance of closing all ICA and PCoIP sessions following the implementation of security updates to prevent potential hijacking.
The vulnerability (CVE-2025-5777) was addressed by Citrix on June 17, 2025, with no immediate reports of ongoing exploitation at that time. However, Beaumont had previously cautioned about the possibility of active exploitation.
Recent observations reported by ReliaQuest substantiate these concerns, revealing that CVE-2025-5777 is likely being employed in targeted attacks, as indicated by the following findings:
- Instances of hijacked Citrix web sessions demonstrated unauthorized authentication, suggesting that attackers succeeded in bypassing MFA by utilizing stolen session tokens.
- Attackers were seen reusing Citrix sessions across both legitimate and dubious IP addresses, indicating potential session hijacking and replay activity from unrecognized sources.
- LDAP queries were initiated post-hijacking, indicating that attackers performed reconnaissance within Active Directory to assess users, groups, and permissions.
- Multiple executions of ADExplorer64.exe were detected across different systems, indicating organized domain reconnaissance and attempts to connect to various domain controllers.
- Citrix sessions originated from data center IP addresses associated with consumer VPN services, pointing towards attempts by attackers to obfuscate their activities using anonymous infrastructures.
These behaviors align with the characteristics of post-exploitation activity following unauthorized access via Citrix, reinforcing the assessment that CVE-2025-5777 is actively exploited in the wild.
To mitigate risks, affected users are urged to upgrade their systems to versions 14.1-43.56+, 13.1-58.32+, or 13.1-FIPS/NDcPP 13.1-37.235+ to address the vulnerability. Administrators should also terminate all active ICA and PCoIP sessions post-update, as some may have already been compromised.
Before terminating sessions, administrators are advised to examine them for any dubious activity through the show icaconnection
command and navigating to NetScaler Gateway > PCoIP > Connections.
To terminate active sessions, the following commands should be executed:
kill icaconnection -all
kill pcoipconnection -all
If immediate updates cannot be applied, restricting external access to the NetScaler through network ACLs or firewall rules is recommended.
In response to inquiries regarding the exploitation of CVE-2025-5777, Citrix referred stakeholders to a recent blog post asserting that there is no evidence of exploitation currently. However, another vulnerability (CVE-2025-6543) affecting NetScaler is confirmed to be exploited, causing denial-of-service events on the devices.
Citrix clarified that while both vulnerabilities affect the same module, they are distinct issues.