Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Citrix Bleed 2: A Critical NetScaler Flaw Exploited in Targeted Attacks


Citrix Bleed 2: A Critical NetScaler Flaw Exploited in Targeted Attacks - Cybersecurity experts have identified a critical vulnerability dubbed "Citrix Bleed 2" (CVE-2025-5777) being exploited in targeted attacks, allowing attackers to hijack user sessions and bypass multi-factor authentication. To protect against this threat, users should upgrade to the latest firmware and limit external access to NetScaler via network ACLs or firewall rules.

  • Citrix Bleed 2 (CVE-2025-5777) is a critical vulnerability allowing unauthenticated attackers to access sensitive data from public-facing gateways and virtual servers.
  • The vulnerability enables attackers to steal session tokens, credentials, and hijacked user sessions, bypassing multi-factor authentication (MFA).
  • Citrix has confirmed the risk and addressed it with security updates on June 17, 2025.
  • Targeted attacks have already been observed using stolen session tokens and bypassing MFA, indicating high likelihood of exploitation.
  • Potentially impacted users should upgrade to version 14.1-43.56+, 13.1-58.32+, or 13.1-FIPS/NDcPP 13.1-37.235+



    • A critical vulnerability dubbed "Citrix Bleed 2" (CVE-2025-5777) has now been identified as likely being exploited in targeted attacks by cybercriminals. The discovery of this flaw, which is part of the NetScaler ADC and Gateway software, was made by cybersecurity firm ReliaQuest after an increase in suspicious sessions on Citrix devices was observed.

    According to Bill Toulas, a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks, the vulnerability allows unauthenticated attackers to access portions of memory that should typically be inaccessible. This could enable attackers to steal session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers, ultimately leading to hijacked user sessions and bypassing multi-factor authentication (MFA).

    Citrix's advisor has confirmed this risk, warning users to end all ICA and PCoIP sessions after installing security updates to block access to any hijacked sessions. The flaw was addressed by Citrix on June 17, 2025, with no reports of active exploitation earlier in the week.

    However, cybersecurity researcher Kevin Beaumont warned about the high likelihood of exploitation earlier this week, which now seems justified as ReliaQuest says with medium confidence that CVE-2025-5777 is already being leveraged in targeted attacks. The reasons behind this include:

    * Hijacked Citrix web sessions observed where authentication was granted without user interaction, indicating attackers bypassed MFA using stolen session tokens.
    * Attackers reused the same Citrix session across both legitimate and suspicious IP addresses, suggesting session hijacking and replay from unauthorized sources.
    * LDAP queries were initiated post-access, showing that attackers performed Active Directory reconnaissance to map users, groups, and permissions.
    * Multiple instances of ADExplorer64.exe ran across systems, indicating coordinated domain reconnaissance and connection attempts to various domain controllers.

    The use of anonymized infrastructure by attacker IPs associated with consumer VPN providers like DataCamp further suggests that the exploitation is being carried out through obfuscation techniques. These findings are consistent with post-exploitation activity following unauthorized Citrix access, reinforcing the assessment that CVE-2025-5777 is indeed being exploited in the wild.

    To protect against this threat, potentially impacted users should upgrade to versions 14.1-43.56+, 13.1-58.32+, or 13.1-FIPS/NDcPP 13.1-37.235+ to remediate the vulnerability. After installing the latest firmware, admins are advised to terminate all active ICA and PCoIP sessions, as they may have already been hijacked.

    Before killing active sessions, admins should first review them for suspicious activity using the `show icaconnection` command and NetScaler Gateway > PCoIP > Connections. Once identified, administrators can then terminate these sessions using the commands:

    ```
    kill icaconnection -all
    kill pcoipconnection -all
    ```

    If immediate installation of security updates is impossible, it is recommended that external access to NetScaler be limited via network ACLs or firewall rules.

    The lack of a reply from Citrix regarding the exploitation status of CVE-2025-5777 is concerning, as BleepingComputer contacted the company multiple times about this issue.

    As organizations continue to prioritize patch management and security updates, it is crucial that administrators remain vigilant and proactive in addressing potential vulnerabilities. The discovery of Citrix Bleed 2 serves as a stark reminder of the importance of staying up-to-date with the latest security patches and best practices to prevent cyber threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Citrix-Bleed-2-A-Critical-NetScaler-Flaw-Exploited-in-Targeted-Attacks-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/critical-citrix-bleed-2-flaw-now-likely-exploited-in-attacks/


    • Published: Fri Jun 27 09:30:04 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us