TrollEye Security

Menu

“Citrix Bleed 2” Likely Exploited in Attacks, Researchers Warn

Researchers Warn of Likely Exploitation as Citrix Denies Active Attacks

As reported by Bleeping Computer, a newly disclosed vulnerability in Citrix NetScaler ADC and Gateway products, dubbed “Citrix Bleed 2” (CVE-2025-5777), is now likely being exploited in the wild, according to cybersecurity firm ReliaQuest. The firm reports a sharp increase in suspicious session activity across Citrix environments, suggesting the flaw is being actively targeted.

First patched by Citrix on June 17, 2025, the flaw is an out-of-bounds memory read vulnerability that allows unauthenticated attackers to access sensitive data in memory, including session tokens, credentials, and authentication artifacts. Exploiting this flaw could enable attackers to bypass multi-factor authentication (MFA) and hijack active user sessions, posing a serious risk to enterprise networks.

Signs of Active Exploitation

Despite Citrix’s assertion that there is “no evidence to suggest exploitation,” researchers and analysts are raising alarms. ReliaQuest now assesses with medium confidence that attackers are actively leveraging the flaw for initial access, citing several red flags from recently observed attacks:

  • Session hijacking: Citrix sessions were observed continuing across both legitimate and attacker-controlled IP addresses, indicating token theft and MFA bypass.
  • Active Directory reconnaissance: Attackers initiated LDAP queries and ran tools like ADExplorer64.exe to map out users, groups, and domain permissions post-access.
  • Anonymized infrastructure: Traffic originated from VPN services and data center IPs linked to providers like DataCamp, suggesting attacker obfuscation techniques.

These findings strongly align with known post-exploitation tactics, supporting concerns that CVE-2025-5777 is being actively exploited.

Mitigation and Guidance

Citrix customers are urged to immediately upgrade to a fixed version to remediate the vulnerability:

  • 14.1-43.56+
  • 13.1-58.32+
  • 13.1-FIPS/NDcPP 13.1-37.235+

Additionally, Citrix’s advisory recommends that administrators end all active ICA and PCoIP sessions after patching to prevent attackers from maintaining access via stolen session tokens. Before terminating sessions, Citrix advises using the following commands to inspect for anomalies:

  • show icaconnection
  • Check under NetScaler Gateway > PCoIP > Connections

To kill active sessions:

  • kill icaconnection -all
  • kill pcoipconnection -all

For organizations unable to patch immediately, Citrix recommends limiting external access to vulnerable services using firewall rules or network ACLs.

Related Flaw Causes Denial-of-Service

Citrix has also confirmed that another vulnerability, CVE-2025-6543, is actively being exploited to cause denial-of-service (DoS) conditions on NetScaler devices. While this flaw resides in the same module as Citrix Bleed 2, the company stresses they are distinct issues.

Organizations relying on Citrix products should act swiftly to patch and monitor for unusual access patterns, as attackers seem to already be exploiting these vulnerabilities. 

Read More Articles

Share:

Recent posts

This Content Is Gated