Patch Alert: CitrixBleed 2 Still a Threat (CVE-2025-5777)
▼ Summary
– Proof-of-concept exploits for CVE-2025-5777 (CitrixBleed 2) are now public, with active exploitation reported since mid-June, prompting users to check for compromises.
– Citrix denies evidence of in-the-wild exploitation, but security researchers have provided indicators of compromise and technical details.
– CVE-2025-5777 is an out-of-bounds memory read flaw allowing attackers to extract session tokens by sending modified login requests repeatedly.
– Attackers have been exploiting the vulnerability to bypass multi-factor authentication, hijack sessions, and potentially link to ransomware groups like RansomHub.
– Researchers advise immediate threat hunting and checking for signs of compromise, even for organizations that patched early, due to ongoing exploitation.
A critical vulnerability in Citrix NetScaler ADC and Gateway systems, known as CVE-2025-5777 (or CitrixBleed 2), is actively being exploited, putting organizations at risk of session hijacking and unauthorized access. Despite Citrix’s claim of no confirmed in-the-wild attacks, multiple security firms have detected malicious activity since mid-June, urging administrators to take immediate action.
The flaw stems from insufficient input validation, allowing attackers to read memory contents and extract valid session tokens by sending manipulated login requests to vulnerable endpoints. While each request leaks only small amounts of data, repeated attempts can eventually expose sensitive credentials, including those tied to administrative accounts. Researchers from watchTowr and Horizon3.ai confirmed that even configuration utilities used by administrators are vulnerable, making privileged accounts a prime target.
Exploitation is already underway, with reports indicating attackers are bypassing multi-factor authentication and hijacking sessions. Security teams at ReliaQuest observed these tactics being used with medium confidence, while GreyNoise data reveals scanning activity dating back to July 1, before public technical details were released. One concerning detail involves an IP address linked to the RansomHub ransomware group, suggesting potential ties to financially motivated cybercriminals.
Citrix released a patch on June 17, but delayed detection means many systems may already be compromised. Indicators of compromise (IoCs) include unauthorized account creation, configuration changes, and tampering with logging settings, all red flags that warrant investigation. Security experts recommend thorough threat hunting before applying patches, as attackers may have already established persistence.
For organizations running Citrix NetScaler, immediate patching and forensic analysis are critical. Even those who applied fixes early should verify systems for signs of intrusion, as attackers could have exploited the window between vulnerability disclosure and remediation. Proactive monitoring and reviewing default logs can help identify suspicious activity before it escalates into a full breach.
Stay updated on emerging threats by subscribing to cybersecurity alerts, ensuring you’re always informed about the latest risks and mitigation strategies.
(Source: HelpNet Security)
