loader image
Graph showing IPs exploiting Citrix Bleed 2 flaw CVE-2025-5777 over 24 hours in Citrix NetScaler products.
Citrix ‘Bleed 2’ Flaw Joins CISA Exploited List

The U.S. Cybersecurity and Infrastructure Security Agency added the Citrix Bleed 2 flaw to its Known Exploited Vulnerabilities catalog, citing active exploitation in the wild. Tracked as CVE-2025-5777, the vulnerability affects Citrix NetScaler ADC and Gateway products configured as VPN or AAA virtual servers, allowing unauthenticated attackers to steal session cookies and bypass multi-factor authentication.

Citrix Bleed 2 stems from insufficient input validation, leading to memory overreads. Affected versions include NetScaler ADC 12.1-FIPS before 12.1-55.328-FIPS, and NetScaler Gateway versions 14.1, 13.1, and 13.1-FIPS prior to recent patches. Citrix also addressed CVE-2025-5349, a separate high-severity flaw targeting the management interface.

Shodan scans show over 56,500 exposed NetScaler endpoints, though vulnerability status remains unclear. Attacks reportedly began in June, with RansomHub linked to at least one IP. CISA directed federal agencies to apply patches by July 11. Private organizations should also review and address the risks.

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

Write a Reply or Comment

Your email address will not be published. Required fields are marked *