According to the cybercity firm Reliacuest, an important Netscaler ADC and Gateway Valnerability have been dubbed “Citrix Bleed 2” (CVE -2025-5777).
Citrix Bleed 2, named by Cyber Safety Researcher Kevin Buomont, is due to the similarity of the original Citrix Bleed (CVE-2023-4966), an out-off-bounds memory that reads weakness, which usually allows informal assaults to reach parts of the memory.
This may allow the attackers to steal sessions tokens, credentials and other sensitive data from public-focused gateway and virtual server, causing them to kidnap user sessions and bypass the multi-factor authentication (MFA).
Citrix advisors also confirm this risk, warning users to abolish all ICA and PCOIP sessions after installing security updates to block access to any kidnapped sessions.
Dosha was tracked as CVE-2025-5777, Addressed by Citrix On June 17, 2025, there is no report of active exploitation. However, Beomont warned of the high probability of exploitation earlier this week.
The researcher’s concerns now seem appropriate, as Reliaquest says with moderate confidence that CVE-2015-5777 is already being benefited in targeted attacks.
“While the CVE-2025-5777 had no public exploitation,” Citrix Bleed 2, “is dubbed,” with moderate belief that the Reliance has been assessed that the attackers are actively exploiting this vulnerability to achieve the initial access to the target environment, ” Reliaquest warns,
This conclusion is based on the following comments from the recently seen actual attacks:
- The hijacked Citrix web session was seen where certification was provided without user interaction, which was bypassed MFA using the stolen session tokens.
- The attackers reused the same Citrix session at both valid and suspected IP addresses, suggested the session kidnapping and re -playing with unauthorized sources.
- The post-access was launched to LDAP Quarries, showing that the attackers demonstrated the active directory reconnaissance to map users, groups and permissions.
- Several examples of adexplorer64.exe moved into the system, indicating connection efforts for coordinated domain reconnaissance and various domain controllers.
- Consumers such as Citrix session Datacamps such as data centers associated with VPN providers were generated from IPS, which suggest the attacker through unknown infrastructure.
The above unauthorized Citrix is corresponding to the post-exploitation activity after access, strengthening the assessment that the CVE-2015-5777 is being exploited in the wild.
To protect from this activity, potentially affected users should upgrade versions to remove vulgarity to 14.1-43.56+, 13.1-58.32+, or 13.1-FIPS/NDCPP 13.1-37.235+.
After installing the latest firmware, admins should eliminate all active ICA and PCOIP sessions, as they may already be kidnapped.
Before killing active sessions, admins must first review them for suspicious activity show icaconnection Committee and Netscaler gateway , Sarcaster , Connection,
After reviewing active sessions, admins can then eliminate them using these commands:
kill icaconnection -all
kill pcoipconnection -all
If immediate installation of security updates is impossible, it is recommended that the outer access network of Netscaler is limited through ACLS or Firewall rules.
In response to our questions whether CVE-2025-5777 is being actively exploited, Citrix sent us back Blog post published yesterday Where they say that they do not see any signs of exploitation.
“Currently, there is no evidence to suggest exploitation Cve-2025-5777“Citrix reads the post.
However, another Citrix vulnerability tracked as CVE-2025–6543 is being exploited in attacks to deny the state of service on Netscaler devices.
Citrix states that these defects and CVE-2025–5777 defects are in the same module, but different bugs.
Update 6/27/25: Information about Citrix’s blog post was added.
Patching meant complex scripts, long and endless fire drills. No more.
In this new guide, the tines break down how it is leveling with modern organ automation. Patch fast, reduce overhead, and focus on strategic tasks – no complex script is required.
