Now everybody but Citrix agrees that CitrixBleed 2 is under exploit
(2025/07/11)
- Reference: 1752185636
- News link: https://www.theregister.co.uk/2025/07/10/cisa_citrixbleed_kev/
- Source link:
The US Cybersecurity and Infrastructure Security Agency has added its weighty name to the list of parties agreeing that CVE-2025-5777, dubbed CitrixBleed 2 by one researcher, has been under exploitation and abused to hijack user sessions.
On Thursday, CISA [1]added the critical security flaw to its catalog of Known Exploited Vulnerabilities. The agency cited "evidence of active exploitation" in its alert.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned.
[2]
The bug, a 9.3 CVSS-rated security flaw that allows remote, unauthenticated attackers to read sensitive info — such as session tokens — in memory from NetScaler devices configured as a gateway (such as a VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server, [3]looked bad from the start .
[4]
[5]
Citrix [6]disclosed and issued a fix for [7]CVE-2025-5777 back on June 17. Shortly thereafter, bug hunters started sounding the alarm on how bad things could get if customers didn't patch immediately.
Security maven Kevin Beaumont dubbed the new vulnerability "CitrixBleed 2" because it closely resembled an [8]earlier critical hole in the same NetScale products, CVE-2023-4966, that allowed attackers to access a device's memory, find session tokens, and then use those to impersonate an authenticated user while bypassing multi-factor authentication.
[9]
By early July, researchers had published at least two [10]working exploits that showed how to abuse CVE-2025-5777 to bypass multi-factor authentication (MFA), hijack user sessions, and access critical systems.
But still no word from the vendor.
Earlier this week, Beaumont said CitrixBleed 2 has been [11]under active exploit for at least a month, citing Greynoise's honeypot telemetry showing attempts dating back to June 23.
[12]
On June 26, however, NetScaler senior VP Anil Shetty [13]assured customers, "There is no evidence to suggest exploitation of CVE-2025-5777."
[14]CitrixBleed 2 exploits are on the loose as security researchers yell and wave their hands
[15]Don't panic, but it's only a matter of time before critical 'CitrixBleed 2' is under attack
[16]Citrix bleeds again: This time a zero-day exploited - patch now
[17]'Mass exploitation' of Citrix Bleed underway as ransomware crews pile in
Earlier today, Akamai Security Intelligence Group noted a " [18]drastic increase of vulnerability scanner traffic and additional threat actors searching for vulnerable targets" since exploit details for CVE-2025-5777 became public.
Additionally, because the vulnerability targets a specific URL path and requires no authentication or prior conditions to be met, it's very easy for attackers to exploit, the threat hunters added.
"This flaw can have dire consequences, considering that the affected devices can be configured as VPNs, proxies, or AAA virtual servers," the Akamai team warned. "Session tokens and other sensitive data can be exposed — potentially enabling unauthorized access to internal applications, VPNs, data center networks, and internal networks."
The scope of victims still remains unknown. And Citrix isn't talking. The Register again asked Citrix about in-the-wild exploits, and again did not receive any response from the vendor. ®
Get our [19]Tech Resources
[1] https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-adds-one-known-exploited-vulnerability-catalog
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aHCMXMYkbqJeug_c3eMXZQAAAVQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2025/06/24/critical_citrix_bug_citrixbleed/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aHCMXMYkbqJeug_c3eMXZQAAAVQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aHCMXMYkbqJeug_c3eMXZQAAAVQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
[7] https://nvd.nist.gov/vuln/detail/CVE-2025-5777
[8] https://www.theregister.com/2023/10/31/mass_exploitation_citrix_bleed/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aHCMXMYkbqJeug_c3eMXZQAAAVQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/07/07/citrixbleed_2_exploits/
[11] https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aHCMXMYkbqJeug_c3eMXZQAAAVQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/
[14] https://www.theregister.com/2025/07/07/citrixbleed_2_exploits/
[15] https://www.theregister.com/2025/06/24/critical_citrix_bug_citrixbleed/
[16] https://www.theregister.com/2025/06/25/citrix_netscaler_critical_bug_exploited/
[17] https://www.theregister.com/2023/10/31/mass_exploitation_citrix_bleed/
[18] https://www.akamai.com/blog/security-research/mitigating-citrixbleed-memory-vulnerability-ase
[19] https://whitepapers.theregister.com/
On Thursday, CISA [1]added the critical security flaw to its catalog of Known Exploited Vulnerabilities. The agency cited "evidence of active exploitation" in its alert.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned.
[2]
The bug, a 9.3 CVSS-rated security flaw that allows remote, unauthenticated attackers to read sensitive info — such as session tokens — in memory from NetScaler devices configured as a gateway (such as a VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server, [3]looked bad from the start .
[4]
[5]
Citrix [6]disclosed and issued a fix for [7]CVE-2025-5777 back on June 17. Shortly thereafter, bug hunters started sounding the alarm on how bad things could get if customers didn't patch immediately.
Security maven Kevin Beaumont dubbed the new vulnerability "CitrixBleed 2" because it closely resembled an [8]earlier critical hole in the same NetScale products, CVE-2023-4966, that allowed attackers to access a device's memory, find session tokens, and then use those to impersonate an authenticated user while bypassing multi-factor authentication.
[9]
By early July, researchers had published at least two [10]working exploits that showed how to abuse CVE-2025-5777 to bypass multi-factor authentication (MFA), hijack user sessions, and access critical systems.
But still no word from the vendor.
Earlier this week, Beaumont said CitrixBleed 2 has been [11]under active exploit for at least a month, citing Greynoise's honeypot telemetry showing attempts dating back to June 23.
[12]
On June 26, however, NetScaler senior VP Anil Shetty [13]assured customers, "There is no evidence to suggest exploitation of CVE-2025-5777."
[14]CitrixBleed 2 exploits are on the loose as security researchers yell and wave their hands
[15]Don't panic, but it's only a matter of time before critical 'CitrixBleed 2' is under attack
[16]Citrix bleeds again: This time a zero-day exploited - patch now
[17]'Mass exploitation' of Citrix Bleed underway as ransomware crews pile in
Earlier today, Akamai Security Intelligence Group noted a " [18]drastic increase of vulnerability scanner traffic and additional threat actors searching for vulnerable targets" since exploit details for CVE-2025-5777 became public.
Additionally, because the vulnerability targets a specific URL path and requires no authentication or prior conditions to be met, it's very easy for attackers to exploit, the threat hunters added.
"This flaw can have dire consequences, considering that the affected devices can be configured as VPNs, proxies, or AAA virtual servers," the Akamai team warned. "Session tokens and other sensitive data can be exposed — potentially enabling unauthorized access to internal applications, VPNs, data center networks, and internal networks."
The scope of victims still remains unknown. And Citrix isn't talking. The Register again asked Citrix about in-the-wild exploits, and again did not receive any response from the vendor. ®
Get our [19]Tech Resources
[1] https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-adds-one-known-exploited-vulnerability-catalog
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aHCMXMYkbqJeug_c3eMXZQAAAVQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2025/06/24/critical_citrix_bug_citrixbleed/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aHCMXMYkbqJeug_c3eMXZQAAAVQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aHCMXMYkbqJeug_c3eMXZQAAAVQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
[7] https://nvd.nist.gov/vuln/detail/CVE-2025-5777
[8] https://www.theregister.com/2023/10/31/mass_exploitation_citrix_bleed/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aHCMXMYkbqJeug_c3eMXZQAAAVQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.theregister.com/2025/07/07/citrixbleed_2_exploits/
[11] https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71
[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aHCMXMYkbqJeug_c3eMXZQAAAVQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[13] https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/
[14] https://www.theregister.com/2025/07/07/citrixbleed_2_exploits/
[15] https://www.theregister.com/2025/06/24/critical_citrix_bug_citrixbleed/
[16] https://www.theregister.com/2025/06/25/citrix_netscaler_critical_bug_exploited/
[17] https://www.theregister.com/2023/10/31/mass_exploitation_citrix_bleed/
[18] https://www.akamai.com/blog/security-research/mitigating-citrixbleed-memory-vulnerability-ase
[19] https://whitepapers.theregister.com/
does it matter?
Nate Amsden
Why does it matter if Citrix responds? they put a patch out, either patch it or don't. Severity seems pretty high for those that use the access gateway function(which is probably a minority of deployed systems).
As a citrix customer(who patched already of course) I don't really care if it's being exploited or not I applied the patch anyway since I do use the access gateway function (I'm the only one in the org that uses it). There was a couple days where I was working to schedule the patch, and in the meantime I just shut off the vpn gateway on the appliance until I could patch it.
Perhaps they are eating their own dog food and are behind a Citrix firewall.
No response from vendor. Meant in a charitable tone.