A significant cybersecurity crisis continues to unfold as over 3,000 Citrix NetScaler devices remain unpatched against a critical vulnerability known as CitrixBleed 2. This alarming situation has prompted urgent warnings from cybersecurity agencies and researchers worldwide, as attackers actively exploit the flaw to gain unauthorized access to corporate and government networks.
The Vulnerability Details
CitrixBleed 2, officially designated as CVE-2025-5777, is a critical-severity vulnerability affecting Citrix NetScaler ADC and Gateway devices. The flaw carries a CVSS score of 9.3 out of 10, indicating its severe potential for exploitation. This vulnerability represents an insufficient input validation issue that leads to memory overread when NetScaler devices are configured as Gateway or AAA virtual servers.
The vulnerability earned its name due to striking similarities to the original CitrixBleed (CVE-2023-4966) discovered in 2023. Like its predecessor, CitrixBleed 2 allows attackers to extract sensitive information from device memory, but this iteration targets session tokens rather than session cookies.
How the Attack Works
The exploitation mechanism is disturbingly simple yet effective. Attackers can trigger the vulnerability by sending malformed POST requests to the /p/u/doAuthentication.do endpoint without proper authentication. The attack involves modifying login parameters, specifically sending requests where the login parameter lacks an equal sign or value.
Each successful exploit attempt leaks approximately 127 bytes of uninitialized stack memory. By repeatedly sending these crafted requests, attackers can continuously extract memory contents—a process that researchers describe as “bleeding” sensitive information from the target device. The leaked data appears within <InitialValue></InitialValue> XML tags in the HTTP response, making it easily accessible to attackers.
Affected Systems and Versions
The vulnerability impacts multiple versions of Citrix NetScaler products:
- NetScaler ADC and NetScaler Gateway 14.1 before version 14.1-43.56
- NetScaler ADC and NetScaler Gateway 13.1 before version 13.1-58.32
- NetScaler ADC 13.1-FIPS and NDcPP before version 13.1-37.235-FIPS and NDcPP
- NetScaler ADC 12.1-FIPS before version 12.1-55.328-FIPS
Organizations using NetScaler devices as VPNs, proxies, or AAA virtual servers face particularly high risk, as these configurations can expose session tokens and other sensitive authentication data.
Government Response
The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that hackers are actively exploiting CitrixBleed 2 in ongoing attack campaigns. In an unprecedented move, CISA gave federal government agencies just one day to patch their systems, highlighting the severity and urgency of the threat.
CISA’s alert emphasized that the NetScaler bug poses a “significant risk” to federal government systems, underlining the vulnerability’s potential for widespread damage.
Evidence of Exploitation
Multiple cybersecurity firms have documented evidence of active exploitation:
ReliaQuest reported observing indicators suggesting exploitation of the vulnerability to gain initial access to targeted environments. Their analysis revealed several concerning patterns:
- Hijacked Citrix web sessions without user knowledge, indicating successful MFA bypass
- Session reuse across multiple IP addresses, including suspicious locations
- LDAP queries associated with Active Directory reconnaissance activities
- Deployment of reconnaissance tools like “ADExplorer64.exe” across compromised environments
Security researcher Kevin Beaumont has disputed Citrix’s initial claims that the vulnerability wasn’t being exploited, presenting evidence of active exploitation dating back to mid-June 2025. Beaumont identified specific indicators of compromise in NetScaler logs, including repeated POST requests to authentication endpoints and suspicious user logoff entries.
Widespread Scanning Activity
Since public exploit details became available in early July 2025, security researchers have observed a dramatic increase in vulnerability scanner traffic. Akamai reported seeing a “drastic increase” in efforts to scan the internet for affected devices after exploit details were published.
This surge in scanning activity indicates that threat actors are actively searching for vulnerable NetScaler devices to exploit, making the over 3,000 unpatched devices prime targets for compromise.
Public Exploit Availability
The situation became significantly more dangerous when researchers from watchTowr and Horizon3 released proof-of-concept exploits for CitrixBleed 2. These public demonstrations confirmed that the vulnerability is easily exploitable and can successfully steal user session tokens.
The availability of working exploits has lowered the barrier to entry for cybercriminals, enabling less sophisticated attackers to exploit the vulnerability and potentially leading to a surge in exploitation attempts.
Session Hijacking and MFA Bypass
CitrixBleed 2’s most dangerous capability is its ability to bypass multi-factor authentication (MFA) by stealing session tokens directly from memory. This allows attackers to impersonate legitimate users without needing their credentials or access to their authentication devices.
The stolen session tokens can provide attackers with:
- Unauthorized access to internal applications
- VPN access to corporate networks
- Entry into data center networks
- Access to sensitive internal systems
Broader Network Compromise
Once attackers gain initial access through a compromised NetScaler device, they typically attempt to move laterally within the target network. The evidence gathered by ReliaQuest demonstrates this pattern, showing attackers conducting Active Directory reconnaissance and deploying tools designed to map network architecture and permissions.
Mitigation and Response
Immediate Actions Required
Organizations must take immediate action to protect their systems:
Patch Deployment: Install the latest NetScaler versions immediately:
- NetScaler ADC and Gateway 14.1-43.56 or later
- NetScaler ADC and Gateway 13.1-58.32 or later
- NetScaler ADC 13.1-FIPS and NDcPP 13.1-37.235 or later
Session Termination: After applying patches, organizations should terminate all active ICA and PCoIP sessions using these commands:
Detection and Monitoring
Organizations should examine their NetScaler logs for indicators of compromise:
- Repeated POST requests to
doAuthenticationendpoints - Requests to
doAuthentication.dowith “Content-Length: 5” - User log entries showing “LOGOFF” events with usernames containing “#” symbols
The Urgent Need for Action
The combination of public exploit availability, confirmed active exploitation, and the large number of unpatched devices creates a perfect storm for widespread cybersecurity incidents. Only immediate, comprehensive patching efforts can prevent CitrixBleed 2 from becoming the next major cybersecurity catastrophe.
