Ethical Hacking News
CitrixBleed 2 is a new, critical vulnerability affecting Citrix's NetScaler ADC and NetScaler Gateway products. The vulnerability allows attackers to read session tokens or sensitive information from these devices, potentially leading to data breaches and security threats. Organizations are urged to patch now and take measures to protect themselves against this emerging threat.
Citrix has announced a critical vulnerability dubbed "CitrixBleed 2" that poses a significant threat to organizations worldwide. The vulnerability affects the company's NetScaler ADC and NetScaler Gateway products, specifically builds 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, and 12.1-FIPS before 12.1-55.328. The vulnerability is due to insufficient input validation, allowing attackers to read session tokens or other sensitive information in memory from NetScaler devices. The severity rating of the vulnerability is 9.3, making it particularly concerning due to its potential impact on large organizations with this configuration. Citrix recommends upgrading affected customers' devices to the latest fixed versions as soon as possible and executing specific commands to ensure all active ICA and PCoIP sessions are killed.
Citrix has announced a critical vulnerability, dubbed "CitrixBleed 2", which poses a significant threat to organizations worldwide. The vulnerability affects the company's NetScaler ADC and NetScaler Gateway products, specifically builds 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, 13.1-FIPS and 13.1-NDcPP before 13.1-37.235, and 12.1-FIPS before 12.1-55.328.
Citrix's security bulletin reveals that the vulnerability is due to insufficient input validation, which can be exploited remotely and without any authentication. This allows attackers to read session tokens or other sensitive information in memory from NetScaler devices configured as a Gateway, such as VPN virtual servers, ICA Proxy, CVPN, RDP Proxy, or AAA virtual servers.
Security analyst Kevin Beaumont has dubbed the vulnerability "CitrixBleed 2", drawing comparisons to the infamous CitrixBleed flaw exploited by ransomware gangs and other cyber scum. The new bug received a severity rating of 9.3 and affects several builds of NetScaler ADC and NetScaler Gateway.
The vulnerability is particularly concerning as it is due to insufficient input validation, which can lead to an out-of-bounds read. This type of configuration is commonly set up in large organizations, making the attack surface even larger.
Citrix has not immediately responded to The Register's inquiries about whether CVE-2025-5777 has been exploited in the wild. However, experts warn that it is only a matter of time before critical CitrixBleed 2 is under attack.
The National Vulnerability Database (NVD) CVE description has quietly changed since its initial disclosure, with some prerequisites or limitations being removed. This suggests that the vulnerability may be significantly more painful than initially signaled.
Benjamin Harris from watchTowr noted that while the company hasn't seen any exploitation to date, "this vulnerability checks all the boxes for inevitable attacker interest." WatchTowr CEO added that organizations should be dealing with this as an IT incident, emphasizing that "exploitation is not a matter of if, but when."
Citrix strongly recommends upgrading affected customers' devices to the latest fixed versions as soon as possible. The vendor also suggests executing specific commands after deploying the fixed versions across High Availability (HA) pairs and cluster nodes:
kill icaconnection -all
kill pcoipConnection -all
These commands ensure that all active ICA and PCoIP sessions are killed, and rebooting appliances instead of firing these commands is not recommended.
Citrix Bleed was widely exploited by at least two ransomware groups. One of the victims, Seattle's Fred Hutchinson Cancer Center, late last month agreed to fork out around $52.5 million as part of a class action settlement after extortionists exploited the original CitrixBleed flaw, stole personal and health-related data of millions of people, and directly threatened cancer patients with SWAT attacks.
In-the-wild exploitation will happen at some point, and organizations should be dealing with this as an IT incident - exploitation is not a matter of if but when. Therefore, Citrix strongly recommends patching now to prevent potential data breaches and security threats.
The Register has reached out for comment on whether CVE-2025-5777 has been exploited in the wild. We will provide updates as more information becomes available.
Related Information:
https://www.ethicalhackingnews.com/articles/Citrix-Vulnerability-CitrixBleed-2---A-Critical-Threat-to-Organizations-Worldwide-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/06/24/critical_citrix_bug_citrixbleed/
Published: Tue Jun 24 20:58:36 2025 by llama3.2 3B Q4_K_M
