Security researchers have released technical information and exploit code targeting a recently patched critical vulnerability in Citrix NetScaler.
Citrix released patches for the bug, tracked as CVE-2025-5777 (CVSS score of 9.3), on June 17, warning that insufficient input validation could lead to out-of-bounds memory reads.
The flaw impacts NetScaler ADC and NetScaler Gateway iterations configured as a gateway or AAA virtual server and was addressed in NetScaler ADC versions 14.1-43.56, 13.1-58.32, 13.1-FIPS, 13.1-NDcPP 13.1-37.235, and 12.1-FIPS 12.1-55.328, and NetScaler Gateway versions 14.1-43.56 and 13.1-58.32.
Roughly a week later, security firm ReliaQuest warned it was seeing evidence that the security defect was actively exploited in the wild.
Warning that more than 50,000 NetScaler instances could be impacted, security researcher Kevin Beaumont named the issue CitrixBleed 2, comparing it to CVE-2023-4966 (dubbed CitrixBleed), which was widely exploited two years ago.
Citrix disputed the claims in late June, saying it had no evidence that CVE-2025-5777 was related to CitrixBleed or that it has been exploited in attacks, but urged customers to update their instances as soon as possible.
On Friday, cybersecurity firm watchTowr published its analysis of CitrixBleed 2, explaining how it can be exploited to leak memory using HTTP requests. The writeup includes code for identifying vulnerable hosts.
On Monday, Horizon3.ai released their own technical information on the bug, demonstrating how their exploit can be used to retrieve user session tokens.
Both security firms pointed out that the issue impacts NetScaler’s authentication endpoint and that it can be triggered using incorrect login requests. Because the appliance responds with portions of the memory content, sending repeated requests results in additional memory contents being disclosed.
NetScaler users are advised to update to the latest version as soon as possible, especially since it contains patches not only for CitrixBleed 2, but also for CVE 2025-6543 (CVSS score of 9.2), a critical flaw exploited as a zero-day.
As of July 7, roughly 1,000 NetScaler instances remain unpatched against CVE-2025-5777, and more than 2,200 against the zero-day, data from The Shadowserver Foundation shows.
Related: Thousands of Citrix NetScaler Instances Unpatched Against Exploited Vulnerabilities
Related: Citrix Warns of Password Spraying Attacks Targeting NetScaler Appliances
Related: Chinese Spies Exploit Ivanti Vulnerabilities Against Critical Sectors
