A critical vulnerability known as CitrixBleed 2 (CVE-2025-5777) has been recognized in Citrix NetScaler ADC and Gateway devices, posing significant risks to enterprise security by permitting unauthorized access through session hijacking. This flaw, classified as an out-of-bounds read vulnerability, allows attackers to extract session tokens from the memory of affected devices. Once obtained, these tokens allow the bypassing of multifactor authentication (MFA) protocols, facilitating user session hijacking. The newly discovered vulnerability has been assigned a critical CVSS score of 9.3, highlighting the vulnerability’s severity. Experts observe that this flaw mirrors the original Citrix Bleed vulnerability found in 2023 (CVE-2023-4966) and poses similar systemic threats. Additionally, there are indications of initial access observed relating to Citrix NetScaler vulnerabilities that were exploited in real-world scenarios.
Security researchers stress that attackers have actively exploited CitrixBleed 2 in real-world scenarios, importantly leveraging credentials for unauthorized access to sensitive resources. Following initial exploitation, attackers have been observed effortlessly hijacking Citrix web sessions, effectively clarifying that legitimate authentication occurs without user consent.
Further investigations reveal that following session acquisition, adversaries execute tools for reconnaissance and mapping within the internal network. They conduct LDAP queries and utilize Active Directory exploration tools, such as ADExplorer64.exe, to identify valuable targets. For some, these operations lay the groundwork for lateral movement and privilege escalation.
Importantly, numerous connection attempts directed at domain controllers from compromised environments signal extensive reconnaissance efforts across both legitimate and suspicious IP addresses.
Citrix has identified that the vulnerability affects specific NetScaler ADC and Gateway versions, particularly those preceding 14.1-43.56 and 13.1-58.32. Following the identification, Citrix quickly released patches and strongly recommended organizations upgrade to affected versions.
The ongoing risk is compounded by determined adversaries, including prominent ransomware groups and state-sponsored entities, focused on exploiting this vulnerability to achieve persistence within enterprise environments.
CitrixBleed 2 exemplifies the complex challenges faced in cybersecurity, particularly concerning extensive network environments that use multifactor authentication as a safeguard. Immediate action is imperative for organizations utilizing vulnerable devices.
