Cybersecurity researchers at ReliaQuest have confirmed active exploitation of a critical vulnerability dubbed Citrix Bleed 2 (CVE-2025-5777) in real-world attacks. This newly discovered security flaw affects widely deployed Citrix NetScaler ADC and NetScaler Gateway solutions, posing significant risks to organizations globally that rely on these enterprise networking appliances.
Understanding the Citrix Bleed 2 Vulnerability
The vulnerability has been named Citrix Bleed 2 due to its striking similarity to the infamous CVE-2023-4966 flaw that was extensively exploited by threat actors throughout 2023. Security researcher Kevin Beaumont coined the term after conducting an in-depth technical analysis of this emerging threat.
CVE-2025-5777 is classified as an out-of-bounds read vulnerability, a type of memory corruption flaw that allows programs to access data beyond allocated memory buffer boundaries. This technical weakness enables unauthenticated attackers to intercept sensitive information, including user authentication session cookies and other confidential data.
Affected Systems and Configurations
The vulnerability specifically impacts NetScaler devices configured as gateways with the following service configurations:
• VPN virtual servers
• ICA Proxy services
• Clientless VPN (CVPN) implementations
• RDP Proxy configurations
• AAA virtual servers
Attack Methodology and Security Implications
Exploitation of CVE-2025-5777 grants cybercriminals unauthorized access to highly sensitive organizational data. Attackers can intercept session tokens, user credentials, and other confidential information directly from public-facing gateways and virtual server instances without requiring initial authentication.
The most concerning aspect of this vulnerability is its potential to bypass multi-factor authentication (MFA) controls. Once attackers obtain valid session tokens, they can impersonate legitimate users and gain comprehensive access to corporate resources without needing passwords or completing additional security verification steps.
Evidence of Active Exploitation in the Wild
ReliaQuest researchers report observing a substantial increase in suspicious session activity across monitored Citrix deployments in recent weeks. While comprehensive reports of large-scale attacks have not yet surfaced publicly, security experts express moderate confidence that threat actors are actively leveraging this vulnerability to establish initial access to targeted corporate environments.
This exploitation pattern mirrors the trajectory observed with the original Citrix Bleed vulnerability, which was subsequently weaponized by ransomware groups and nation-state actors for conducting large-scale cyberattacks against critical infrastructure and enterprise networks.
Immediate Remediation Steps and Security Updates
Citrix has responded promptly by releasing security patches to address this critical vulnerability. System administrators must immediately update their NetScaler deployments to the following patched versions:
• NetScaler ADC and Gateway version 14.1-43.56 or later
• NetScaler ADC and Gateway version 13.1-58.32 or later
• NetScaler ADC and Gateway FIPS/NDcPP version 13.1-37.235 or later
Post-Patching Security Measures
Following patch installation, organizations must terminate all active ICA and PCoIP sessions immediately. This critical step prevents attackers from continuing to exploit previously compromised sessions for persistent access to corporate resources.
The emergence of Citrix Bleed 2 reinforces the critical importance of maintaining robust cybersecurity hygiene and proactive threat management strategies. Organizations should prioritize regular security updates for internet-facing systems, implement comprehensive monitoring for anomalous network activity, and deploy defense-in-depth security architectures. Only through systematic and multi-layered security approaches can enterprises effectively defend against sophisticated modern cyber threats targeting critical infrastructure components.
