The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has confirmed that the critical CitrixBleed 2 vulnerability (CVE-2025-5777) is under active exploitation. This flaw affects Citrix NetScaler ADC and Gateway devices, which are widely deployed by enterprises for secure application delivery and remote access.
Vulnerability Overview
CVE-2025-5777 is a critical memory disclosure vulnerability with a CVSS score of 9.3. It exists in Citrix NetScaler ADC and Gateway appliances configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The flaw allows unauthenticated attackers to send specially crafted HTTP requests to the authentication endpoint, triggering an out-of-bounds memory read. This can result in the leakage of sensitive information, including session tokens, usernames, passwords, and configuration data.
Impact and Exploitation
The vulnerability is particularly dangerous because it is pre-authentication—attackers do not need valid credentials to exploit it. Once exploited, attackers can hijack user sessions, bypass multi-factor authentication (MFA), and gain unauthorized access to internal resources. These capabilities significantly increase the risk of data breaches, lateral movement within networks, and ransomware attacks.
CISA added CVE-2025-5777 to its Known Exploited Vulnerabilities (KEV) catalog and issued an emergency directive requiring federal agencies to patch affected systems within 24 hours. This urgent action underscores the severity of the threat. Security researchers have reported widespread scanning and exploitation attempts, with some activity linked to ransomware groups and other advanced threat actors.
Affected Versions
The following versions of Citrix NetScaler ADC and Gateway are vulnerable:
- NetScaler ADC and Gateway before 14.1-43.56
- NetScaler ADC and Gateway before 13.1-58.32
- NetScaler ADC 13.1-FIPS/NDcPP before 13.1-37.235
- NetScaler ADC 12.1-FIPS before 12.1-55.328
Mitigation Guidance
Citrix and CISA strongly urge all organizations to take immediate action:
- Patch Immediately: Upgrade to the latest fixed versions as soon as possible.
- Terminate Active Sessions: After patching, disconnect all active ICA and PCoIP sessions, as they may have been compromised prior to remediation. Use administrative commands such as
kill icaconnection -allandkill pcoipconnection -all. - Review for Suspicious Activity: Examine session logs and authentication events for signs of unauthorized access or unusual behavior.
- Restrict Access if Patching Is Not Feasible: As a temporary measure, limit external access to NetScaler devices using firewall rules or access control lists.
