Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Exploits, Technical Details Released for CitrixBleed2 Vulnerability

Researchers released technical information and exploit code targeting a critical vulnerability (CVE-2025-5777) in Citrix NetScaler.

Citrix vulnerabilities exploited

Security researchers have released technical information and exploit code targeting a recently patched critical vulnerability in Citrix NetScaler.

Citrix released patches for the bug, tracked as CVE-2025-5777 (CVSS score of 9.3), on June 17, warning that insufficient input validation could lead to out-of-bounds memory reads.

The flaw impacts NetScaler ADC and NetScaler Gateway iterations configured as a gateway or AAA virtual server and was addressed in NetScaler ADC versions 14.1-43.56, 13.1-58.32, 13.1-FIPS, 13.1-NDcPP 13.1-37.235, and 12.1-FIPS 12.1-55.328, and NetScaler Gateway versions 14.1-43.56 and 13.1-58.32.

Roughly a week later, security firm ReliaQuest warned it was seeing evidence that the security defect was actively exploited in the wild.

Warning that more than 50,000 NetScaler instances could be impacted, security researcher Kevin Beaumont named the issue CitrixBleed 2, comparing it to CVE-2023-4966 (dubbed CitrixBleed), which was widely exploited two years ago.

Citrix disputed the claims in late June, saying it had no evidence that CVE-2025-5777 was related to CitrixBleed or that it has been exploited in attacks, but urged customers to update their instances as soon as possible.

Advertisement. Scroll to continue reading.

On Friday, cybersecurity firm watchTowr published its analysis of CitrixBleed 2, explaining how it can be exploited to leak memory using HTTP requests. The writeup includes code for identifying vulnerable hosts.

On Monday, Horizon3.ai released their own technical information on the bug, demonstrating how their exploit can be used to retrieve user session tokens.

Both security firms pointed out that the issue impacts NetScaler’s authentication endpoint and that it can be triggered using incorrect login requests. Because the appliance responds with portions of the memory content, sending repeated requests results in additional memory contents being disclosed.

NetScaler users are advised to update to the latest version as soon as possible, especially since it contains patches not only for CitrixBleed 2, but also for CVE 2025-6543 (CVSS score of 9.2), a critical flaw exploited as a zero-day.

As of July 7, roughly 1,000 NetScaler instances remain unpatched against CVE-2025-5777, and more than 2,200 against the zero-day, data from The Shadowserver Foundation shows.

Related: Thousands of Citrix NetScaler Instances Unpatched Against Exploited Vulnerabilities

Related: Citrix Warns of Password Spraying Attacks Targeting NetScaler Appliances

Related: Chinese Spies Exploit Ivanti Vulnerabilities Against Critical Sectors

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

BlueVoyant has appointed Ravi Subramanian as CFO and Jamie Coleman as CCO.

Solana Foundation has appointed Michael Coates as Chief Information Security Officer.

Michael Sikorski has joined Coinbase as Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.