Article Details

Citrix Bleed 2 flaw now believed to be exploited in attacks. A critical NetScaler ADC and Gateway vulnerability dubbed "Citrix Bleed 2" (CVE-2025-5777) is now likely exploited in attacks, according to cybersecurity firm ReliaQuest, seeing an increase in suspicious sessions on Citrix devices. Citrix Bleed 2, named by cybersecurity researcher Kevin Beaumont due to its similarity to the original Citrix Bleed (CVE-2023-4966), is an out-of-bounds memory read vulnerability that allows unauthenticated attackers to access portions of memory that should typically be inaccessible. This could allow attackers to steal session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers, enabling them to hijack user sessions and bypass multi-factor authentication (MFA). Citrix's advisor also confirms this risk, warning users to end all ICA and PCoIP sessions after installing security updates to block access to any hijacked sessions. The flaw, tracked as CVE-2025-5777, was addressed by Citrix on June 17, 2025, with no reports of active exploitation. However, Beaumont warned about the high likelihood of exploitation earlier this week. The researcher's worries now seem justified, as ReliaQuest says with medium confidence that CVE-2025-5777 is already being leveraged in targeted attacks. "While no public exploitation of CVE-2025-5777, dubbed "Citrix Bleed 2," has been reported, ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments," warns ReliaQuest. This conclusion is based on the following observations from actual attacks seen recently: The above is consistent with post-exploitation activity following unauthorized Citrix access, reinforcing the assessment that CVE-2025-5777 is being exploited in the wild. To protect against this activity, potentially impacted users should upgrade to versions 14.1-43.56+, 13.1-58.32+, or 13.1-FIPS/NDcPP 13.1-37.235+ to remediate the vulnerability. After installing the latest firmware, admins should terminate all active ICA and PCoIP sessions, as they may have already been hijacked. Before killing active sessions, admins should first review them for suspicious activity using the show icaconnection command and  NetScaler Gateway > PCoIP > Connections. After reviewing the active sessions, admins can then terminate them using these commands: If the immediate installation of security updates is impossible, it is recommended that external access to NetScaler be limited via network ACLs or firewall rules. BleepingComputer contacted Citrix multiple times about the exploitation status of CVE-2025-5777 but has not received any replies. Why IT teams are ditching manual patch management Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore. In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work -- no complex scripts required.