The U.S. Cybersecurity & Infrastructure Security Agency has confirmed active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway and is giving federal agencies one day to apply fixes.
Such a short deadline for installing the patches is unprecedented since CISA released the Known Exploited Vulnerabilities (KEV) catalog, showing the severity of the attacks exploiting the security issue.
The agency added the flaw to its Known Exploited Vulnerabilities (KEV) catalog yesterday, ordering federal agencies to implement mitigations by the end of today, June 11.
CVE-2025-5777 is a critical memory safety vulnerability (out-of-bounds memory read) that gives an unauthenticated attacker access to restricted parts of the memory.
The issue impacts NetScaler devices that are configured as a Gateway or an AAA virtual server, in versions prior to 14.1-43.56, 13.1-58.32, 13.1-37.235-FIPS/NDcPP, and 2.1-55.328-FIPS.
Citrix addressed the vulnerability through updates released on June 17.
A week later, security researcher Kevin Beaumont warned in a blog post about the flaw’s potential for exploitation, its severity and repercussions if left unpatched.
Beaumont called the flaw ‘CitrixBleed 2’ due to similarities with the infamous CitrixBleed vulnerability (CVE-2023-4966), which was extensively exploited in the wild by all types of cybercriminal actors.
The first warning of CitrixBleed 2 being exploited came from ReliaQuest on June 27. On July 7, security researchers at watchTowr and Horizon3 published proof-of-concept exploits (PoCs) for CVE-2025-5777, demonstrating how the flaw can be leveraged in attacks that steal user session tokens.
At the time, signs of definitive active exploitation in the wild remained elusive, but with the availability of PoCs and ease of exploitation, it was only a matter of time until attackers started to leverage it at a larger scale.
For the past two weeks, though, threat actors have been active on hacker forums discussing, working, testing, and publicly sharing feedback on PoCs for the Citrix Bleed 2 vulnerability.
They showed interest in how to make available exploits work in attacks. Their activity increased the past few days and multiple exploits for the vulnerability have been published.
With CISA confirming CitrixBleed 2 being actively used in attacks, it is likely that threat actors have now developed their own exploits based on the technical info released last week.
“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable,” CISA warns.
To mitigate the issue, users are strongly recommended to upgrade to firmware versions 14.1-43.56+, 13.1- 58.32+, or 13.1-FIPS/NDcPP 13.1- 37.235+.
After updating, admins should disconnect all active ICA and PCoIP sessions, as they may already be compromised.
Before doing so, they should review current sessions for suspicious behavior using the 'show icaconnection' command or via NetScaler Gateway > PCoIP > Connections.
Then, end the sessions using the following commands:
kill icaconnection -allkill pcoipconnection -all
If updating right away isn’t possible, limit external access to NetScaler using firewall rules or ACLs.
Although CISA confirms exploitation, it is important to note that Citrix has still to update its original security bulletin from June 27, which states that there is no evidence of CVE-2025-5777 exploited in the wild.
BleepingComputer contacted Citrix to ask if there are any updates on the exploitation status of CitrixBleed 2, and we will update this post once a statement becomes available.
While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques.
Drawing from Wiz’s detections across thousands of organizations, this report reveals 8 key techniques used by cloud-fluent threat actors.
