The recently patched Citrix NetScaler vulnerability tracked as CitrixBleed 2 and CVE-2025–5777 may be exploited in the wild, based on evidence uncovered by cybersecurity firm ReliaQuest.
Citrix informed customers about CVE-2025–5777 in an advisory published on June 17, saying that this critical vulnerability affecting NetScaler ADC and NetScaler Gateway could lead, in certain cases, to a memory overread.
The advisory initially said the vulnerability impacted the NetScaler management interface, but references to the management interface were removed shortly after and Citrix clarified that NetScaler instances are vulnerable when configured as a gateway for remote access or an AAA virtual server.
As security researcher Kevin Beaumont explained in a blog post, this apparently minor change made the vulnerability more serious as the management interface should typically not be exposed to the internet, but NetScaler is often configured for remote access in major organizations.
Beaumont warned that over 50,000 potentially vulnerable instances are exposed to the internet (based on a Shodan search).
CVE-2025–5777 can allow a remote, unauthenticated attacker to read memory from affected NetScaler instances, including sensitive information such as session tokens, which can be leveraged to hijack sessions and bypass multi-factor authentication (MFA).
The vulnerability is reminiscent of the NetScaler vulnerability tracked as CVE-2023-4966 and referred to as CitrixBleed, which was widely exploited in 2023 by ransomware groups and other threat actors.
Due to similarities with CitrixBleed, Beaumont decided that CVE-2025–5777 should be named CitrixBleed 2.
Citrix told customers when it published its advisory that it had not been aware of in-the-wild exploitation, but Beaumont and others warned that attacks involving CVE-2025–5777 were highly likely.
ReliaQuest said on Thursday that it has seen some evidence suggesting that CitrixBleed 2 has been exploited in the wild.
“ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments,” the company said.
The evidence seen by ReliaQuest includes hijacked Citrix sessions from NetScaler devices and authentication granted without the user’s knowledge (possible MFA bypass), session reuse across multiple IPs (both suspicious and expected IPs), activity typically associated with AD reconnaissance, and sessions originating from data center IPs (VPN services).
“Citrix Bleed 2 mirrors the original in its ability to bypass authentication and facilitate session hijacking, but it introduces new risks by targeting session tokens instead of session cookies. Unlike session cookies, which are often tied to short-lived browser sessions, session tokens are typically used in broader authentication frameworks, such as API calls or persistent application sessions,” ReliaQuest explained.
“This means that attackers could potentially maintain access longer and operate across multiple systems without detection, even after the user has terminated the browser session,” it added.
Following the security firm’s report, Beaumont said he could not confirm active exploitation of CitrixBleed 2 and pointed out that Citrix has not shared any indicators of compromise (IoCs). However, the researcher believes — based on the evidence seen by ReliaQuest — that if the vulnerability is indeed being exploited, the attacks are “probably” conducted by a ransomware group.
If confirmed, CVE-2025–5777 would be the second Citrix NetScaler flaw whose exploitation has come to light this week. Citrix on Wednesday urged customers to patch CVE-2025-6543, a security hole that can lead to unintended control flow and DoS attacks, after seeing in-the-wild exploitation.
Related: Citrix Warns of Password Spraying Attacks Targeting NetScaler Appliances
Related: Citrix, Fortinet Patch High-Severity Vulnerabilities
Related: Exploitation Attempts Target Citrix Session Recording Vulnerabilities
