The US Cyber Security and Infrastructure Security Agency has confirmed the active exploitation of Citrix Netscaler Adc and Citrixbled 2 vulnerability (CVE-2025-5777) in Gateway and is giving one day to federal agencies to apply fixes.
Such a short time frame is unprecedented to install the patch as CISA released the known exploited weaknesses (KEV) catalogs, showing the seriousness of the attacks exploiting the security issues.
Agency Added the blame Yesterday, for the end of June 11, federal agencies to order mitigation to order federal agencies tomorrow for their known exploited vulnerability (KV) catalogs.
The CVE-2025-5777 is an important memory safety vulnerability (out-of-bounds memory reed) that provides an informal attacker access to restricted parts of memory.
The problem affects Netscaler devices that are configured as a gateway or aaa virtual server, in versions before 14.1-43.56, 13.1-58.32, 13.1-37.235-FIPS/NDCpp, and 2.1-55.328-Fips.
Addressing vulnerability through Citrix Updates issued on 17 June,
A week later, security researcher Kevin Beomont warned of the ability of blame for exploitation in a blog post, its severity and results are abandoned.
Beaumont said the Flaw ‘Citrixbleed 2’, which was exploited by all types of cyber criminal actors in wild due to similarity with the notorious Citrixbleed vulnerability (CVE-2023-4966).
Citrixbled 2’s first warning occurred from reliaquest on 27 June. On July 7, the Watchtower and Horizone 3 security researchers for Cve-2015-5777 published proof-off-concept explopies (POCs), showing how the defects can be taken into an attack.
At that time, the indications of definite active exploitation in the wild remained elusive, but with the availability of POC and ease of exploitation, it was only some time until the attackers began to take advantage of it on a large scale.
For the past two weeks, however, the actor of danger has been active to discuss the reaction on POC for discussion, work, testing and publicly Citrix Bleed 2 vulnerability on the hacker forums.
He showed interest in how he has made available the adventures available in the attacks. His activity has increased in the last few days and several exploits have been published for vulnerability.
With the CISA Citrixbled 2 actively use in attacks, it is likely that the danger actors have now developed their own exploits based on technical information released last week.
“Apply mitigation as per seller instructions, follow the BOD 22-01 guidance applied to cloud services, or stop using the product if the laxity is unavailable,” Sisa warns,
To reduce the problem, users are recommended to strongly upgrade firmware versions 14.1-43.56+, 13.1- 58.32+, or 13.1-Fips/NDCPP 13.1- 37.235+.
After updating, the admins should disconnect all active ICA and PCOIP sessions, as they can already compromise.
Before doing this, they should review the current sessions for suspicious behavior 'show icaconnection' Command or Netscaler Gateway> Pcoip> Through connection.
Then, finish sessions using the following orders:
kill icaconnection -allkill pcoipconnection -all
If it is not possible to update immediately, limit the external access to the netscaler using firewall rules or ACL.
Although CISA confirms exploitation, it is important to note that Citrix still has to update it. Original security bulletin From 27 June, there is no evidence of exploiting CVE -2025-5777 in the wild.
Bleepingcomputer contacted Citrix whether there are any updates on the exploitation of Citrixbleed 2, and we will update this post after a statement is available.
While cloud attacks can be more sophisticated, the attackers still succeed with surprisingly simple techniques.
Drawing by the detection of Vij in thousands of organizations, this report reveals the 8 major techniques used by Claude-Floid danger actors.
