CitrixBleed 2: A Critical Threat Returns with CVE-2025-5777

A New Exploit Echoes an Old Danger

In a major alert that echoes past cybersecurity alarms, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly discovered vulnerability in Citrix NetScaler systems—CVE-2025-5777, nicknamed CitrixBleed 2—to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, with a CVSS v4.0 Base Score of 9.3, is considered critical, enabling unauthenticated attackers to steal session cookies and potentially hijack Citrix sessions without triggering multi-factor authentication (MFA) protections.

The flaw, rooted in insufficient input validation, causes a memory overread in affected systems—particularly NetScaler devices configured as Gateways or AAA virtual servers. These configurations are widely used in enterprises to facilitate secure remote access via VPN, RDP, ICA Proxy, and similar protocols.

Security expert Kevin Beaumont drew parallels between this exploit and the notorious CVE-2023-4966, the original CitrixBleed. Back then, a single malicious HTTP request could force a NetScaler device to leak memory content, including session tokens. With CitrixBleed 2, that chilling scenario has returned—what Beaumont likened to “Kanye West returning to Twitter two years later.”

Beaumont’s Shodan scans revealed over 56,500 publicly exposed NetScaler ADC and Gateway endpoints. However, the exact number vulnerable to CVE-2025-5777 remains uncertain. Compounding the danger, attack activity has already begun. At least one IP address tied to the RansomHub ransomware gang has been involved, and GreyNoise tracked attacks from 10 malicious IPs across the U.S., France, Germany, India, and Italy in the past month.

Citrix also disclosed another critical vulnerability, CVE-2025-5349, affecting the management interface of NetScaler devices due to improper access controls. This flaw becomes exploitable if attackers gain access to the NSIP, Cluster IP, or Local GSLB IP. Citrix urges users to upgrade immediately and terminate all ICA and PCoIP sessions post-update to ensure proper mitigation.

Following Binding Operational Directive (BOD) 22-01, federal agencies must patch CVE-2025-5777 by July 11, 2025. Private organizations are also advised to audit their infrastructure against the KEV catalog to minimize exposure.

What Undercode Say:

The emergence of CitrixBleed 2 represents a familiar yet terrifying reality in enterprise cybersecurity: old flaws can return with minimal changes and cause massive damage. This vulnerability’s ability to leak sensitive memory data, including session tokens, means it can bypass MFA protections and give attackers direct access to enterprise resources—a worst-case scenario for any organization relying on NetScaler appliances for secure remote access.

What makes this issue even more alarming is the scale and speed of exploitation. Within weeks of disclosure, malicious IPs from across five major countries have already launched targeted attacks. This indicates a high level of attacker coordination, possibly tied to ransomware-as-a-service operations like RansomHub. Their early involvement confirms this vulnerability has monetization potential—whether through extortion, credential theft, or lateral movement into sensitive networks.

Equally concerning is the fact that CitrixBleed 2 is functionally similar to a previously resolved vulnerability. This suggests that patch fatigue, configuration drift, or insufficient root cause analysis may have contributed to its reemergence. Organizations often focus on surface fixes without fully auditing underlying logic, making recurrence inevitable.

The second flaw, CVE-2025-5349, further shows how multiple layers of NetScaler infrastructure are vulnerable—not just the front-end access points. Attackers who gain access to management interfaces can bypass security protocols from within, potentially altering configurations, injecting malware, or disabling logging altogether.

From a threat modeling perspective, this is a multi-vector exploit: attackers can use exposed interfaces for initial access and then pivot using session hijacking or credential theft. Organizations need to implement zero-trust principles, ensure segmentation, and eliminate public exposure of management interfaces.

The

In summary, CitrixBleed 2 is not just a technical flaw—it’s a strategic cybersecurity failure that highlights the fragility of remote access security when memory-handling vulnerabilities are left to fester. The industry must treat this as a wake-up call to revamp how vulnerabilities are handled post-patch—not just with fixes, but with follow-through and testing.

🔍 Fact Checker Results:

✅ CVE-2025-5777 is officially listed by CISA as a Known Exploited Vulnerability with a CVSS score of 9.3.
✅ Exploitation activity has been confirmed via GreyNoise and links to RansomHub actors.
✅ Session hijacking via memory leaks has precedent in CVE-2023-4966, validating the seriousness of CitrixBleed 2.

📊 Prediction:

CitrixBleed 2 is likely to become a top attack vector for ransomware groups throughout late 2025, particularly those targeting healthcare, finance, and government sectors where NetScaler Gateways are widespread. Expect more CVEs targeting Citrix infrastructure to surface in the coming months as attackers probe for similar memory-related flaws. Moreover, vendors may face legal and regulatory scrutiny if systemic flaws persist after multiple disclosure cycles.