3,000+ Unpatched NetScaler Devices Vulnerable to CitrixBleed 2
▼ Summary
– Over 3,300 Citrix NetScaler devices remain unpatched against CVE-2025-5777, a critical authentication bypass vulnerability, nearly two months after patches were released.
– CVE-2025-5777 allows attackers to remotely access restricted memory regions, steal session tokens, and bypass multi-factor authentication (MFA) on vulnerable devices.
– Proof-of-concept exploits for CVE-2025-5777 emerged quickly, with zero-day exploitation detected before public disclosure.
– Another critical flaw, CVE-2025-6543, affects 4,142 unpatched Citrix NetScaler devices and has been exploited as a zero-day since May, targeting Dutch critical organizations.
– The U.S. CISA has mandated federal agencies to patch both vulnerabilities urgently, citing active exploitation risks.
Thousands of Citrix NetScaler systems remain exposed to critical security flaws months after patches became available, putting organizations at risk of session hijacking and data theft. Security researchers have identified over 3,300 vulnerable devices still running unpatched versions susceptible to CVE-2025-5777, nicknamed CitrixBleed 2.
This high-severity vulnerability stems from improper memory handling in NetScaler Gateway and AAA virtual server configurations. Attackers can exploit it remotely to bypass authentication controls, intercept session tokens, and compromise sensitive credentials, even when multi-factor authentication is in place. Active exploitation began before official patches were released, with proof-of-concept code circulating shortly after disclosure.
The threat mirrors a 2023 incident involving the original CitrixBleed flaw, which ransomware groups weaponized to infiltrate government networks. Now, Shadowserver Foundation reports 3,312 systems remain defenseless against ongoing attacks, while 4,142 others are vulnerable to CVE-2025-6543, a separate memory overflow bug already leveraged in zero-day assaults.
Dutch cybersecurity authorities confirmed advanced threat actors exploited CVE-2025-6543 to breach critical national entities, systematically covering their tracks. One confirmed victim, the Netherlands’ Public Prosecution Service, suffered severe operational disruptions, including email server outages lasting weeks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has mandated urgent action, requiring federal agencies to mitigate CitrixBleed 2 within 24 hours and address CVE-2025-6543 by July 21. Despite these directives, the persistence of unpatched systems highlights widespread delays in applying critical updates, a gap attackers continue to exploit.
Organizations using Citrix NetScaler should immediately verify their patch status, as threat actors actively scan for vulnerable devices. Delaying updates risks not only data breaches but also potential compliance violations under stricter global cybersecurity regulations.
(Source: BLEEPING COMPUTER)
