More than 1,200 Citrix Netscaler ADC and Netscaler Gateway devices have been exposed online, actively exploited against a significant vulnerability, allowing danger actors to abduct user sessions and bypass certification.
Cive-2025-5777 was tracked and referred to as Citrix Bleed 2, this out-of-bound memory reads the vulnerability results from insufficient input verification, which enabled unaffected attackers to reach the restricted memory areas.
A similar Citrix security defects, which were dubbed “Citrixbleed”, were exploited to hack Netscaler devices in 2023 in ransomware attacks and violations to hack Netscaler devices and later transfer to the network.
Successfully exploitation of CVE-2025-5777 can allow the danger actors to steal the public-focused gateway and virtual server to steal sessions, credentials and other sensitive data, causing them to kidnap user sessions and bypass the multi-factors authentication (MFA).
Advisor on 17 June, Citrix Wags After upgrading all the active ICA and PCOIP sessions to the customer upgraded to a patched version to block all their Netscaler equipment potential attacks.
On Monday, Internet Safety Non -Grouping Shadowvers Foundation Safety Analysts Found out The weekends were still unsafe for the CVE-2025–57777 that weekends.
While Citrix has not yet confirmed that this security defect is being exploited in the wild, Saying “Currently, there is no evidence to suggest the exploitation of the CVE-2025-5777,” Cyber Security Firm Riliaqvest on Thursday stated with moderate confidence that vulnerability is being abused in already targeted attacks.
While “CVE-2025-5777 has no public exploitation, ‘Citrix Bleed 2’ has been dubbed, reported, Rilaquest has assessed with moderate belief that the attackers are actively exploiting this vulnerability to achieve initial access to the target environment,” Reliaquest warned.
Reliaquest identified indicators suggested post-exclusion activity after unauthorized Citrix access, including a kidnapped Citrix web session, indicating a successful MFA bypass attempt, reusing the session in several IP addresses (including suspects), and linked to the LDAP Querry Active Directorate of LDAP Qureed.
Shadowseerver too found More than 2,100 Netscaler devices were united against another important vulnerability (CVE-2025–6543), which is now being exploited in the DOS attacks.
Both flaws are being tagged as significant severity weaknesses, administrators are advised to deploy the latest patch from Citrix as soon as possible. Companies should review their access control and monitor Citrix Netscaler equipment for suspected user sessions and activity.
Patching meant complex scripts, long and endless fire drills. No more.
In this new guide, the tines break down how it is leveling with modern organ automation. Patch fast, reduce overhead, and focus on strategic tasks – no complex script is required.
