Ethical Hacking News
Despite Citrix's assurances, CitrixBleed 2 has been under active exploit for at least a month, with two working exploits already published. Organizations must act quickly to patch CVE-2025-5777 and protect sensitive data from falling into the wrong hands.
CitrixBleed 2 is a security vulnerability that allows remote, unauthenticated attackers to read sensitive information in memory from NetScaler devices. The bug has been under active exploit for at least a month, with attempts dating back to June 23. A working exploit has been published, demonstrating how to abuse CVE-2025-5777 to bypass multi-factor authentication and access critical systems. The affected devices can be configured as VPNs, proxies, or AAA virtual servers, making them prime targets for attackers. Citrix's lack of communication on the matter raises concerns about their preparedness to address this vulnerability. Organizations must take immediate action and patch CVE-2025-5777 as soon as possible to prevent sensitive data exposure.
CitrixBleed 2, the latest security vulnerability to make headlines, has been quietly spreading its dark wings across the network, leaving a trail of exploitation and chaos in its wake. With its roots deeply entwined with the world of network devices, CitrixBleed 2 has proven itself to be a formidable foe, capable of infiltrating even the most robust defenses. The latest addition to the list of Known Exploited Vulnerabilities (KEVs), CVE-2025-5777, is a 9.3 CVSS-rated security flaw that allows remote, unauthenticated attackers to read sensitive information — such as session tokens — in memory from NetScaler devices configured as a gateway (such as a VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
The bug was first discovered by researchers and dubbed "CitrixBleed 2" due to its striking resemblance to an earlier critical hole in the same NetScale products, CVE-2023-4966. Since then, security maven Kevin Beaumont has been sounding the alarm on how bad things could get if customers don't patch immediately. However, it seems that not everyone is paying attention, as Citrix senior VP Anil Shetty assured customers on June 26 that there was no evidence to suggest exploitation of CVE-2025-5777.
But, as it turns out, the reality is far from rosy. According to Greynoise's honeypot telemetry, attempts dating back to June 23 show that CitrixBleed 2 has been under active exploit for at least a month. Earlier this week, Beaumont revealed that at least two working exploits had been published, demonstrating how to abuse CVE-2025-5777 to bypass multi-factor authentication (MFA), hijack user sessions, and access critical systems.
The scope of victims remains unknown, but the impact is clear. The Akamai Security Intelligence Group noted a "drastic increase in vulnerability scanner traffic and additional threat actors searching for vulnerable targets" since exploit details for CVE-2025-5777 became public. This is not just a case of amateur hour; the affected devices can be configured as VPNs, proxies, or AAA virtual servers, making them prime targets for attackers.
The fact that Citrix has not commented on in-the-wild exploits raises questions about their preparedness to address this vulnerability. The Register has reached out to Citrix multiple times, but received no response from the vendor. This lack of communication is particularly concerning, given the high-stakes nature of this vulnerability.
In light of this new development, it's essential for organizations to take immediate action and patch CVE-2025-5777 as soon as possible. The risk to sensitive data is too great to ignore, especially considering that session tokens and other sensitive information can be exposed — potentially enabling unauthorized access to internal applications, VPNs, data center networks, and internal networks.
The fact that this vulnerability has been under active exploit for at least a month raises concerns about the vendor's response time. While Citrix did issue a patch on June 17, it seems that some organizations may have missed it or are still in the process of implementing it. This is a prime example of why timely and effective patching is crucial in today's threat landscape.
In conclusion, CitrixBleed 2 has proven itself to be a formidable security vulnerability with far-reaching implications for organizations worldwide. It's imperative that we take proactive measures to address this issue, not just because of the risk to sensitive data but also due to the vendor's lack of communication on this matter.
Related Information:
https://www.ethicalhackingnews.com/articles/CitrixBleed-2-The-Silent-Killer-in-the-Network-Leaving-a-Trail-of-Vulnerability-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/07/10/cisa_citrixbleed_kev/
Published: Thu Jul 10 19:02:54 2025 by llama3.2 3B Q4_K_M
