CISA Urges Immediate Patch for Exploited Citrix Bleed 2 Vulnerability
▼ Summary
– CISA confirmed active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) and gave federal agencies one day to apply fixes, marking an unprecedented urgency.
– The flaw is a critical memory safety issue allowing unauthenticated attackers to access restricted memory, affecting specific NetScaler ADC and Gateway versions.
– Citrix released patches on June 17, but security researchers later warned of the flaw’s severity, leading to public proof-of-concept exploits by early July.
– Threat actors have been actively discussing and testing exploits for CitrixBleed 2, increasing the risk of widespread attacks.
– CISA recommends immediate patching, disconnecting compromised sessions, or restricting access if updates aren’t feasible, though Citrix has not yet updated its bulletin on exploitation status.
Federal agencies and businesses using Citrix NetScaler systems face urgent action after cybersecurity officials confirmed active attacks exploiting a critical vulnerability. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an unusually strict 24-hour deadline for patching the flaw, designated as CVE-2025-5777, marking one of the fastest response mandates since the agency began tracking actively exploited vulnerabilities.
This memory safety issue, allowing unauthorized access to sensitive system memory, affects NetScaler ADC and Gateway devices configured as Gateway or AAA virtual servers. Specifically vulnerable are systems running versions older than 14.1-43.56, 13.1-58.32, or FIPS/NDcPP 13.1-37.235. Citrix released patches on June 17, but delays in applying updates have left networks exposed.
Security researcher Kevin Beaumont first raised alarms about the flaw’s severity, dubbing it “CitrixBleed 2” due to its resemblance to the earlier CVE-2023-4966 vulnerability, which triggered widespread breaches. By late June, ReliaQuest reported exploitation attempts, followed by proof-of-concept exploits published by watchTowr and Horizon3 in early July. These developments provided threat actors with blueprints for weaponizing the vulnerability, leading to a surge in hacker forum discussions and shared exploit code.
CISA’s confirmation of active attacks suggests malicious actors have now refined these tools for real-world use. The agency’s directive requires immediate action: apply vendor-provided patches, restrict external access via firewalls if updates are delayed, or decommission vulnerable systems entirely. Administrators must also terminate all active ICA and PCoIP sessions—even after patching—using specific commands to purge potentially compromised connections.
Despite CISA’s warning, Citrix has not yet updated its June 27 advisory, which initially claimed no evidence of exploitation. The discrepancy underscores the escalating risk as attackers capitalize on publicly available exploit details. Organizations relying on NetScaler systems should treat this as a top-priority remediation effort to prevent credential theft and network infiltration.
For those unable to patch immediately, implementing strict access controls and monitoring for anomalous session activity can reduce exposure. However, given the vulnerability’s critical nature and active exploitation, delaying fixes poses significant operational and security risks.
(Source: Bleeping Computer)
