1,200+ Citrix servers vulnerable to critical auth bypass flaw
▼ Summary
– Over 1,200 unpatched Citrix NetScaler appliances are vulnerable to CVE-2025-5777, allowing attackers to bypass authentication by hijacking sessions.
– The flaw, dubbed “Citrix Bleed 2,” stems from insufficient input validation, enabling unauthorized access to restricted memory regions.
– Exploiting CVE-2025-5777 could let attackers steal session tokens, credentials, and bypass multi-factor authentication (MFA).
– Shadowserver found 2,100 vulnerable appliances, while ReliaQuest reported medium-confidence evidence of active exploitation.
– Administrators are urged to patch immediately, as another critical flaw (CVE-2025-6543) is also being exploited in DoS attacks.
More than 1,200 internet-exposed Citrix NetScaler systems remain vulnerable to a severe authentication bypass flaw that could let attackers hijack user sessions and bypass security measures like multi-factor authentication. Security researchers warn this critical vulnerability, identified as CVE-2025-5777, may already be under active exploitation despite Citrix’s claims of no confirmed attacks.
The vulnerability stems from improper memory handling in Citrix NetScaler ADC and Gateway appliances, allowing unauthorized access to sensitive system areas. Dubbed “Citrix Bleed 2” due to its similarity to a previously exploited flaw, this weakness enables attackers to steal session tokens and credentials from exposed gateways. Once compromised, threat actors can impersonate legitimate users, bypass MFA protections, and move laterally through networks, a tactic seen in past ransomware campaigns targeting government agencies.
Citrix issued an urgent advisory on June 17, urging customers to immediately upgrade affected systems and terminate all active sessions to prevent exploitation. However, scans by the Shadowserver Foundation reveal that over 2,100 devices remain unpatched, leaving organizations open to potential breaches.
While Citrix maintains there’s no evidence of active exploitation, cybersecurity firm ReliaQuest has observed signs of attacks in progress. Their analysis points to suspicious session hijacking, unauthorized LDAP queries, and MFA bypass attempts, clear indicators of post-exploitation activity. These findings suggest attackers are already leveraging the flaw to infiltrate corporate environments.
Adding to the risk, Shadowserver detected another critical vulnerability (CVE-2025-6543) being actively abused in denial-of-service attacks. With both flaws rated as high severity, IT teams must prioritize patching and closely monitor NetScaler appliances for unusual access patterns. Proactive measures like reviewing session logs, enforcing strict access controls, and applying the latest security updates are critical to mitigating these threats before attackers strike.
(Source: BLEEPINGCOMPUTER)
