Hackers Exploit New ‘CitrixBleed 2’ NetScaler Flaw to Hijack Sessions

▼ Summary
– A new vulnerability called “CitrixBleed 2” (CVE-2025-5777) affects Citrix NetScaler ADC and Gateway, allowing attackers to hijack authentication session cookies.
– The flaw impacts NetScaler devices configured as Gateways or AAA virtual servers, potentially exposing session tokens, credentials, and sensitive data.
– A second high-severity flaw (CVE-2025-5349) involves improper access control in the NetScaler Management Interface, exploitable with access to specific IPs.
– Citrix recommends updating to patched versions and terminating all active ICA and PCoIP sessions to prevent exploitation of stolen session data.
– Unpatched end-of-life versions (12.1 non-FIPS and 13.0) remain vulnerable, requiring immediate upgrades to supported releases.
A newly discovered vulnerability in Citrix NetScaler ADC and Gateway systems, nicknamed “CitrixBleed 2,” poses a serious threat by allowing attackers to hijack user sessions and bypass security measures. The flaw bears striking similarities to a previously exploited weakness that enabled unauthorized access to sensitive authentication data.
Security experts have identified two critical vulnerabilities, CVE-2025-5777 and CVE-2025-5349, affecting multiple versions of NetScaler ADC and Gateway. The more severe of the two, CVE-2025-5777, stems from an out-of-bounds memory read issue, granting attackers unauthorized access to restricted memory sections. This flaw specifically targets systems configured as Gateway (VPN virtual server, ICA Proxy, Clientless VPN, RDP Proxy) or AAA virtual server.
Cybersecurity researcher Kevin Beaumont likened the vulnerability to the notorious CitrixBleed (CVE-2023-4966), which was widely abused by ransomware groups and state-sponsored hackers. Dubbing it “CitrixBleed 2,” Beaumont warned that attackers could exploit the flaw to steal session tokens, login credentials, and other confidential data from exposed gateways. Once obtained, these tokens can be reused to hijack active sessions and circumvent multi-factor authentication (MFA).
The second vulnerability, CVE-2025-5349, is rated as high-severity and involves improper access controls in the NetScaler Management Interface. Exploitation requires access to the NetScaler Management IP (NSIP), Cluster Management IP, or Local GSLB Site IP.
Citrix has released patches for affected versions, urging administrators to upgrade to NetScaler ADC and Gateway 14.1-43.56, 13.1-58.32, or later releases. Additionally, they recommend terminating all active ICA and PCoIP sessions after applying updates to prevent attackers from leveraging stolen session data.
Before shutting down sessions, administrators should first inspect for suspicious activity using commands like show icaconnection and NetScaler Gateway > PCoIP > Connections. Once reviewed, sessions can be terminated with:
Charles Carmakal, Mandiant’s CTO, emphasized the importance of session termination, citing past incidents where organizations failed to do so after patching CVE-2023-4966 (CitrixBleed). Many of these oversights led to ransomware attacks and espionage campaigns as attackers reused stolen session tokens post-patch.
Unsupported versions, including ADC/Gateway 12.1 (non-FIPS) and 13.0, remain vulnerable without patches. Users still relying on these outdated systems should immediately migrate to supported releases.
Recent scans reveal over 56,500 publicly accessible NetScaler endpoints, though the exact number vulnerable to these flaws remains unclear. Organizations using Citrix products should prioritize updates and session management to mitigate risks.
(Source: BLEEPINGCOMPUTER)