Listen to this Post
A Major Security Alarm for Enterprises
A newly disclosed vulnerability in Citrix NetScaler ADC and Gateway devices is stirring serious concern across the cybersecurity community. This flaw, nicknamed CitrixBleed 2, draws chilling parallels with the devastating CitrixBleed exploit of 2023. Now tracked as CVE-2025-5777, this fresh zero-day bug is already being used in real-world attacks, with experts warning it allows attackers to bypass authentication systems — including Multi-Factor Authentication (MFA) — and hijack user sessions. The flaw specifically targets session tokens, making it more dangerous than its predecessor, which focused on session cookies.
With a CVSS score of 9.3, CVE-2025-5777 ranks among the most severe vulnerabilities found in enterprise-grade hardware this year. Released alongside two other critical flaws, this exploit has already shown signs of active exploitation. As companies scramble to patch their systems, cybersecurity researchers urge immediate defensive actions.
A Growing Threat Resurfaces
Security experts are raising the alarm over a new vulnerability identified in Citrix’s NetScaler ADC and Gateway platforms. Dubbed CitrixBleed 2, the flaw shares core characteristics with the notorious CVE-2023-4966 from 2023. Much like its predecessor, this newly identified bug enables authentication bypasses, even defeating MFA protections, allowing attackers to hijack valid Citrix sessions without user interaction.
Citrix officially disclosed the vulnerability on June 17, under the tracking number CVE-2025-5777, along with another flaw, CVE-2025-5349. Both affect NetScaler ADC and Gateway devices, with the primary vulnerability scoring a critical 9.3 on the CVSS scale, while the secondary flaw scored 8.7. The most affected versions include those before 47.46 for version 14.1, and before 59.19 for version 13.1.
Security researcher Kevin Beaumont, who drew the connection to the 2023 CitrixBleed, confirmed that real-world exploitation has already begun. By June 25, reports indicated that attackers were leveraging this vulnerability to gain unauthorized access to systems by hijacking web sessions. The exploitation patterns strongly resemble earlier CitrixBleed activity, including:
MFA bypass with seamless session takeovers
Use of consumer VPN IPs from data centers like DataCamp
LDAP reconnaissance within Active Directory environments
Usage of the ADExplorer64.exe tool for mapping domain privileges
What sets CitrixBleed 2 apart is its focus on session tokens rather than browser-bound session cookies. These tokens are typically used for API calls and persistent applications, which significantly broadens the attack surface.
To make matters worse, a third vulnerability was revealed on June 25. CVE-2025-6543, a memory overflow flaw, allows attackers to cause Denial of Service (DoS) and take unintended control of devices configured as gateways. Like the previous flaws, this one is also under active exploitation and shares the same affected versions as CVE-2025-5777.
What Undercode Say:
Echoes of a Past Breach, with New Layers of Danger
CitrixBleed 2 represents more than just a repeat of a past error — it’s an evolution of threat patterns against enterprise-grade VPN and access solutions. In the original CitrixBleed, threat actors gained access via leaked session cookies tied to short-term browser sessions. While damaging, those attacks were somewhat limited in duration and scope. The latest variant shifts the focus toward persistent session tokens, which are often embedded deep within enterprise applications and backend systems. This change implies longer-term access, broader compromise capabilities, and a harder forensic trail to follow.
Why Token-Based Attacks Are Harder to Detect
Session tokens are tied to application-layer authentication mechanisms, not just browser sessions. This means attackers could remain undetected for longer, especially if enterprises lack robust token expiration policies or proper session logging mechanisms. Attackers could impersonate users indefinitely, access APIs, and maintain persistent access across upgrades or patches — unless the tokens themselves are revoked.
MFA Isn’t Enough Anymore
The real danger here lies in the bypass of MFA. For years, MFA was considered a gold standard of user verification. Now, as seen with CitrixBleed 2, sophisticated attackers are exploiting architecture-level flaws that sit outside the realm of user credentials entirely. These session hijacks happen post-authentication, completely nullifying MFA’s protective layer.
Strategic Use of VPNs and IP Rotation
The presence of connections from IPs associated with hosting providers like DataCamp is telling. It shows attackers are likely using VPN tunneling and rotating IP addresses to avoid detection and maintain access. This tactic can fool traditional security monitoring tools that look for geolocation mismatches or anomalous user behavior.
LDAP and Active Directory Probing Reveals Intent
The use of tools like ADExplorer64.exe across multiple compromised environments reveals a deeper layer of reconnaissance. Attackers aren’t just testing the door handles; they’re inside the house, mapping every room. LDAP queries confirm that attackers are looking to escalate privileges, map domain controllers, and plan lateral movement within networks.
The Bigger Picture: A Vendor Ecosystem at Risk
This latest round of vulnerabilities once again highlights how hardware appliances from trusted vendors can become massive liabilities if left unpatched or misconfigured. Citrix’s NetScaler devices are widely used by major enterprises and governments, making them a prime target for both cybercriminal gangs and nation-state hackers.
Patch Management and Beyond
Although Citrix has released patches, many organizations lag behind in applying critical updates. In environments with uptime sensitivity or legacy dependencies, patches can take weeks or months to roll out. That delay gives attackers a dangerous window of opportunity.
🔍 Fact Checker Results:
✅ CVE-2025-5777 has a CVSS score of 9.3 and affects Citrix NetScaler ADC & Gateway
✅ Exploitation has been observed in the wild as of June 25
✅ Vulnerability targets session tokens, not cookies, and bypasses MFA
📊 Prediction:
🔮 We expect CitrixBleed 2 to become a favored tool for ransomware groups and APT actors over the next quarter, especially those focusing on long-term infiltration and stealth persistence. As seen with its predecessor, patch delay and poor session management will likely result in widespread enterprise compromise across sectors like healthcare, finance, and government.
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.github.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
