Citrix Bleed 2: ReliaQuest Warns of Active Exploitation in NetScaler Gateway Vulnerability
Do Son 
A newly discovered vulnerability—CVE-2025-5777, now dubbed Citrix Bleed 2—is raising serious security alarms. According to ReliaQuest, attackers are actively exploiting this vulnerability in the wild to hijack user sessions and bypass multi-factor authentication (MFA), putting enterprise environments at risk of covert access and data theft.
“While no public exploitation of CVE-2025-5777, dubbed ‘Citrix Bleed 2,’ has been reported, ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments,” the report warns.
Citrix Bleed 2 stems from an out-of-bounds read vulnerability in NetScaler ADC and NetScaler Gateway, carrying a CVSS score of 9.2. Much like its predecessor (CVE-2023-4966), this flaw enables attackers to extract authentication tokens from memory, which can then be used to bypass MFA and hijack active user sessions—without the victim’s knowledge.
The risk is even more insidious this time. While the original Citrix Bleed targeted session cookies, Citrix Bleed 2 targets session tokens, which are used not just in browsers but across API calls and persistent services—giving attackers longer-lived and more versatile access.
In parallel, Citrix also disclosed CVE-2025-6543, a denial-of-service (DoS) vulnerability with a CVSS of 9.3, which has reportedly been actively exploited in the wild. Together, these vulnerabilities offer threat actors both a crashing vector and a stealthy access vector, creating a potent combo for sophisticated attacks.
While public PoCs haven’t surfaced yet, ReliaQuest has documented several indicators of exploitation activity involving CVE-2025-5777:
- Citrix web sessions hijacked directly from NetScaler devices, with authentication granted without user awareness.
- Session reuse across IPs, combining legitimate and suspicious sources.
- Active Directory reconnaissance, with LDAP queries and usage of tools like ADExplorer64.exe on multiple systems.
- VPN infrastructure abuse, including sessions originating from consumer VPN IPs like DataCamp.
The original Citrix Bleed caused widespread damage in 2023, exploited by ransomware gangs and APT groups to infiltrate enterprise networks and deploy payloads with surgical precision.
Its successor, Citrix Bleed 2, is already showing similar potential—with the added concern that tokens are harder to detect and invalidate than cookies.
Citrix urges all customers to upgrade to patched versions immediately:
- NetScaler ADC and Gateway 14.1-43.56 or later
- NetScaler ADC and Gateway 13.1-58.32 or later
- NetScaler ADC 13.1-FIPS/NDcPP 13.1-37.235 or later
To eliminate hijacked sessions, Citrix also recommends terminating all current connections:
Additionally, organizations should:
- Restrict access to vulnerable appliances via ACLs/firewalls.
- Monitor for session reuse, abnormal HTTP requests, and unusual logins.
- Watch for HTTP GET requests with suspiciously long headers, as used in prior Citrix Bleed exploits.
“Citrix Bleed exploitation involved an HTTP GET request to the endpoint ‘/oauth/idp/.well-known/openid-configuration’… with the Host header containing 24,812 characters.”
Related Posts:
- LockBit 3.0 Ransomware Exploit Targets Citrix NetScaler Appliances
- Citrix Alerts on Global Password Spraying Campaigns Targeting NetScaler Appliances
- CVE-2025-31324 (CVSS 10): Zero-Day in SAP NetWeaver Exploited in the Wild to Deploy Webshells and C2 Frameworks
- Citrix NetScaler Under Siege: Significant Increase in Brute Force Attacks Observed
- CVE-2024-6235: NetScaler Console Flaw Enables Admin Access, PoC Publishes
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
