CitrixBleed 2 has led to successful cyberattacks on more than 100 organizations, but according to cybersecurity researchers and U.S. federal agencies, thousands of internet-facing NetScaler appliances are still unpatched and exposed to active exploitation.
A Widespread and Ongoing Threat
The vulnerability, which received a CVSS severity score of 9.3, was patched by Citrix in mid-June 2025. However, in the weeks since the advisory was released, attackers have moved quickly—actively exploiting unpatched devices across organizations in critical sectors including finance, healthcare, education, government, law, telecommunications, and technology.
According to cybersecurity firm Imperva, at least 12 million exploitation attempts have been detected since mid-June, underscoring the mass-scale and opportunistic nature of ongoing campaigns.
“This is not a speculative threat. We are seeing concrete, targeted breaches affecting major institutions globally,” said Sharon Goldberg, CEO of BastionZero. “The vulnerability allows attackers to completely bypass authentication—including multi-factor protections—and hijack active user sessions.”
Confirmed Organizational Breaches
Security sources have disclosed that more than 100 organizations have suffered confirmed breaches through CitrixBleed 2 exploitation. While many affected entities have opted not to disclose the specifics of their incidents, researchers at Akamai and The Shadowserver Foundation confirm that compromised entities include:
- Financial institutions in North America and Western Europe, where attackers used hijacked admin sessions to access secure account management systems.
- University networks in the U.S., Canada, and South Korea, including breaches of research computing clusters and managed student data systems.
- Telecommunications companies in Asia-Pacific, which saw lateral movement attacks originating from exposed Citrix Gateway appliances.
- Government agencies in Europe and Latin America that were targeted via MSP-managed Citrix systems used for remote secure access.
- Legal and consulting firms, where attackers were able to leverage compromised sessions to exfiltrate sensitive client documents.
In one reported instance, a U.S.-based multinational consulting firm discovered evidence that attackers accessed internal NetScaler-hosted employee directories using leaked session tokens. Another two European banks found their secure remote access portals used as an entry point for credential harvesting and lateral movement.
Exploitation Details
CitrixBleed 2 stems from a pre-authentication vulnerability that, when successfully exploited, enables remote attackers to extract memory contents—without even needing credentials—through a specially crafted XML payload. Often, this leaked memory contains valid session tokens that can be used by attackers to impersonate legitimate users, effectively bypassing authentication measures such as MFA.
“Many organizations failed to realize that patching alone is not enough,” warns cybersecurity firm Picus Security. “Once a session token is captured pre-patch, and no action is taken to invalidate them, attackers can silently walk through the front door—even after a patch is applied.”
Furthermore, the use of fake or emulated Citrix NetScaler infrastructure by security researchers revealed that attackers were deliberately targeting Citrix appliances early in the attack campaigns—suggesting a level of reconnaissance and planning beyond simple vulnerability scans.
Federal and Industry Response
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-5777 to its Known Exploited Vulnerabilities Catalog, signaling the pressing nature of the threat and requiring all federal agencies to mitigate the flaw immediately.
In a public alert, CISA called the vulnerability an “unacceptable risk to federal networks and the broader digital ecosystem,” citing the rapid exploitation window and ease of attack.
Cybersecurity firms including Akamai, Greynoise, and Imperva have been actively monitoring exploitation activity, urging organizations to not only patch but also take post-patching remediation measures such as:
- Invalidating all active sessions on affected NetScaler appliances,
- Forcing reauthentication for all users,
- Clearing session cookies from end-user browsers,
- Reviewing logs for suspicious session activity,
- Monitoring for indicators of compromise across internal systems.
Remaining Exposure
As of mid-July 2025, more than 4,700 vulnerable NetScaler instances remain exposed online. Many of these are associated with smaller organizations and regional service providers that may lack the resources or awareness to respond quickly to security incidents.
Shodan and Shadowserver scans reveal the highest concentrations of vulnerable systems in the United States, Germany, South Korea, and Brazil, though active exploitation campaigns have emanated from IPs in China, Russia, and even North America.
Researchers emphasize that this second wave of CitrixBleed exploitation could escalate unless organizations act decisively.
Final Warnings
Much like its 2023 predecessor, the original CitrixBleed (CVE-2023-4966), CitrixBleed 2 is showing signs of becoming one of the most aggressively exploited vulnerabilities of the year.
“If organizations haven’t patched and purged sessions by now,” says one security analyst familiar with the attacks, “it may already be too late.”
