CybersecurityNewswireSecurityTechnology

Hackers Exploit New ‘CitrixBleed 2’ NetScaler Flaw to Hijack Sessions

▼ Summary

– A new vulnerability called “CitrixBleed 2” (CVE-2025-5777) affects Citrix NetScaler ADC and Gateway, allowing attackers to hijack authentication session cookies.
– The flaw impacts NetScaler devices configured as Gateways or AAA virtual servers, potentially exposing session tokens, credentials, and sensitive data.
– A second high-severity flaw (CVE-2025-5349) involves improper access control in the NetScaler Management Interface, exploitable with access to specific IPs.
– Citrix recommends updating to patched versions and terminating all active ICA and PCoIP sessions to prevent exploitation of stolen session data.
– Unpatched end-of-life versions (12.1 non-FIPS and 13.0) remain vulnerable, requiring immediate upgrades to supported releases.

A newly discovered vulnerability in Citrix NetScaler ADC and Gateway systems, nicknamed “CitrixBleed 2,” poses a serious threat by allowing attackers to hijack user sessions and bypass security measures. The flaw bears striking similarities to a previously exploited weakness that enabled unauthorized access to sensitive authentication data.

Security experts have identified two critical vulnerabilities, CVE-2025-5777 and CVE-2025-5349, affecting multiple versions of NetScaler ADC and Gateway. The more severe of the two, CVE-2025-5777, stems from an out-of-bounds memory read issue, granting attackers unauthorized access to restricted memory sections. This flaw specifically targets systems configured as Gateway (VPN virtual server, ICA Proxy, Clientless VPN, RDP Proxy) or AAA virtual server.

Cybersecurity researcher Kevin Beaumont likened the vulnerability to the notorious CitrixBleed (CVE-2023-4966), which was widely abused by ransomware groups and state-sponsored hackers. Dubbing it “CitrixBleed 2,” Beaumont warned that attackers could exploit the flaw to steal session tokens, login credentials, and other confidential data from exposed gateways. Once obtained, these tokens can be reused to hijack active sessions and circumvent multi-factor authentication (MFA).

The second vulnerability, CVE-2025-5349, is rated as high-severity and involves improper access controls in the NetScaler Management Interface. Exploitation requires access to the NetScaler Management IP (NSIP), Cluster Management IP, or Local GSLB Site IP.

Citrix has released patches for affected versions, urging administrators to upgrade to NetScaler ADC and Gateway 14.1-43.56, 13.1-58.32, or later releases. Additionally, they recommend terminating all active ICA and PCoIP sessions after applying updates to prevent attackers from leveraging stolen session data.

Before shutting down sessions, administrators should first inspect for suspicious activity using commands like show icaconnection and NetScaler Gateway > PCoIP > Connections. Once reviewed, sessions can be terminated with:

Charles Carmakal, Mandiant’s CTO, emphasized the importance of session termination, citing past incidents where organizations failed to do so after patching CVE-2023-4966 (CitrixBleed). Many of these oversights led to ransomware attacks and espionage campaigns as attackers reused stolen session tokens post-patch.

Unsupported versions, including ADC/Gateway 12.1 (non-FIPS) and 13.0, remain vulnerable without patches. Users still relying on these outdated systems should immediately migrate to supported releases.

Recent scans reveal over 56,500 publicly accessible NetScaler endpoints, though the exact number vulnerable to these flaws remains unclear. Organizations using Citrix products should prioritize updates and session management to mitigate risks.

(Source: BLEEPINGCOMPUTER)

Topics

citrixbleed 2 vulnerability 95% cve-2025-5777 90% netscaler adc gateway vulnerabilities 90% cve-2025-5349 85% session hijacking 85% patch recommendations 80% session termination 75% unsupported versions vulnerability 70% publicly accessible netscaler endpoints 65% ransomware espionage risks 60%
Show More

The Wiz

Wiz Consults, home of the Internet is led by "the twins", Wajdi & Karim, experienced professionals who are passionate about helping businesses succeed in the digital world. With over 20 years of experience in the industry, they specialize in digital publishing and marketing, and have a proven track record of delivering results for their clients.
Close

Adblock Detected

We noticed you're using an ad blocker. To continue enjoying our content and support our work, please consider disabling your ad blocker for this site. Ads help keep our content free and accessible. Thank you for your understanding!