Citrix Flaw Hit by 200,000 Hacking Attempts in Days

Cybersecurity researchers are warning of active exploitation of a critical Citrix flaw hit by attackers, tracked as CVE-2025-5777 and dubbed “CitrixBleed 2.” The vulnerability affects NetScaler ADC and Gateway devices and allows unauthenticated actors to leak sensitive memory contents, including session tokens and passwords. Public proof-of-concept code has triggered over 200,000 scanning attempts across the internet in recent days.

The Citrix flaw hit by a wave of malicious activity stems from uninitialized memory in the login function, which attackers access via crafted POST requests to the /p/u/doAuthentication.do path. These requests, featuring oversized User-Agent headers, cause memory leaks revealing XML-tagged data containing configuration values. Affected versions include NetScaler firmware prior to 14.1-43.56, 13.1-58.32, and several FIPS releases.

Akamai deployed mitigation rule 3000967, now set to deny traffic matching the exploit pattern. Security teams are urged to patch systems immediately and monitor for compromise indicators.

Hackers Actively Exploiting CitrixBleed 2 Vulnerability in the Wild