Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Citrix Bleed 2: A Critical Vulnerability Exposed Weeks Before Public Disclosure


Citrix Bleed 2 is a critical vulnerability that was actively exploited weeks before proof-of-concept (PoC) exploits were made public, despite Citrix's denial of attacks. The vulnerability, tracked as CVE-2025-5777, allows attackers to send malformed POST requests during login attempts, resulting in a memory overread vulnerability that can be exploited to leak sensitive data and hijack Citrix sessions.

  • Citrix NetScaler has a critical vulnerability known as CitrixBleed 2, tracked as CVE-2025-5777.
  • The vulnerability is caused by insufficient input validation, allowing attackers to send malformed POST requests during login attempts.
  • Over 120 companies have already been compromised by the flaw, and one threat actor group may be responsible for the attacks.
  • Citrix initially denied any attacks, but later acknowledged the vulnerability and provided limited guidance on identifying signs of exploitation.
  • Customers running unsupported versions should upgrade to supported builds immediately, as Citrix's Web Application Firewall does not detect this vulnerability.



    • Citrix NetScaler, a widely used software application for delivering applications and services over the internet, has been plagued by a critical vulnerability known as CitrixBleed 2. This security flaw, tracked as CVE-2025-5777, was actively exploited nearly two weeks before proof-of-concept (PoC) exploits were made public, despite Citrix's denial of attacks.

    The vulnerability is caused by insufficient input validation in the NetScaler application, which allows attackers to send malformed POST requests during login attempts. This results in a memory overread vulnerability that can be exploited to leak sensitive data, such as valid session tokens. These tokens can then be used to hijack Citrix sessions and gain unauthorized access to internal resources.

    Security researcher Kevin Beaumont has been tracking the exploitation of this flaw since June 20, 2025, with access ramping up from June 21 to July 4, according to his latest post on Twitter. He warns that over 120 companies have already been compromised by the flaw, and that he believes there may be one threat actor group responsible for the attacks.

    GreyNoise, a honeypot network, detected targeted exploitation attempts against Citrix Bleed 2 from IP addresses located in China on June 23, 2025. GreyNoise confirmed this information to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on July 9, and added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.

    Despite these early signs of exploitation, Citrix initially denied any attacks in its security advisory for CVE-2025-5777. It wasn't until June 26 that Citrix updated its blog post with a revised version that acknowledged the vulnerability. However, the company has been under fire for not being transparent and sharing IOCs (Indicators of Compromise) that researchers have previously shared with the company.

    Citrix's guidance on identifying signs of exploitation is also limited, according to Beaumont. While Citrix recommends terminating ICA and PCoIP sessions using kill icaconnection -all and kill pcoipConnection -all, Beaumont advises also to terminate other session types that may have hijacked sessions, such as RDP, SSH, Telnet, and Conn.

    In a recent post on Twitter, Beaumont shared some guidance on how to evaluate NetScaler logs for indicators of compromise. He warned that Citrix's Web Application Firewall does not detect exploitation of CVE-2025-5777 and recommended that customers running unsupported versions upgrade to supported builds immediately.

    The Board Report Deck CISOs Actually Use

    CISOs know that getting board buy-in starts with a clear, strategic view of how cloud security drives business value. This free, editable board report deck helps security leaders present risk, impact, and priorities in clear business terms. Turn security updates into meaningful conversations and faster decision-making in the boardroom.

    Download the template to get started today

    Related Articles:

    CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patchPublic exploits released for Citrix Bleed 2 NetScaler flaw, patch nowCitrix Bleed 2 flaw now believed to be exploited in attacksNew Fortinet FortiWeb hacks likely linked to public RCE exploitsHackers exploit OttoKit WordPress plugin flaw to add admin accounts

    Actively Exploited
    Citrix
    CitrixBleed 2
    Session
    Vulnerability



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Citrix-Bleed-2-A-Critical-Vulnerability-Exposed-Weeks-Before-Public-Disclosure-ehn.shtml

  • https://www.bleepingcomputer.com/news/security/citrix-bleed-2-exploited-weeks-before-pocs-as-citrix-denied-attacks/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-5777

  • https://www.cvedetails.com/cve/CVE-2025-5777/


    • Published: Thu Jul 17 21:06:08 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us