Ethical Hacking News
A new vulnerability in Citrix NetScaler ADC and Gateway allows hackers to hijack user sessions, exposing endpoints to attack. Organizations must prioritize security updates and patching to prevent potential data breaches.
CitrixBleed 2 is a critical vulnerability in Citrix NetScaler ADC and Gateway that allows unauthenticated attackers to access sensitive data. The vulnerability impacts versions before 14.1-43.56, 13.1-58.32, and later releases of the software. Exploitation of this flaw could potentially allow hackers to hijack user sessions and bypass multi-factor authentication (MFA). Citrix recommends installing DC and NetScaler Gateway 14.1-43.56, 13.1-58.32, and later versions to address the risk.
CitrixBleed 2: A New Flaw in NetScaler ADC and Gateway Exposes Endpoints to Attack
A recent vulnerability discovered by cybersecurity researcher Kevin Beaumont has exposed a significant security risk for organizations using Citrix NetScaler ADC (Application Delivery Controller) and Gateway solutions. The newly identified flaw, dubbed "CitrixBleed 2," is eerily similar to an older exploited vulnerability known as "CitrixBlead" (CVE-2023-4966), which was extensively targeted by threat actors in the past.
CitrixBleed 2, CVE-2025-5777, is a critical flaw that allows unauthenticated attackers to access portions of memory that they should not have access to. This out-of-bounds memory read vulnerability impacts NetScaler devices configured as Gateways (VPN virtual server, ICA Proxy, Clientless VPN, RDP Proxy) or AAA virtual servers. The exploitation of this flaw could potentially allow hackers to hijack user sessions and bypass multi-factor authentication (MFA).
Beaumont's research indicates that CitrixBleed 2 allows attackers to access session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers. Leaked tokens can be replayed to hijack user sessions, making it challenging for organizations to protect their users' identities.
The same security bulletin published by Citrix warns of a second, high-severity flaw tracked as CVE-2025-5349, which is an improper access control problem in the NetScaler Management Interface. This exploitable vulnerability can be accessed if the attacker has access to the NSIP (NetScaler Management IP), Cluster Management IP, or Local GSLB Site IP.
To address both risks, Citrix recommends that users install DC and NetScaler Gateway 14.1-43.56, 13.1-58.32, and later, 13.1-NDcPP 13.1-37.235 (FIPS), and 12.1-55.328 (FIPS). Before killing active sessions, administrators are advised to review existing sessions for suspicious activity using the show icaconnection command and NetScaler Gateway > PCoIP > Connections to see PCoIP sessions.
Terminating active sessions is crucial to prevent previously stolen sessions from being used even after devices are no longer vulnerable. As warned by Mandiant CTO Charles Carmakal, "Many organizations did not terminate sessions when remediating a similar vulnerability in 2023 (CVE-2023-4966 aka 'Citrix Bleed")," which resulted in session secrets being stolen before companies patched and led to nation-state espionage or ransomware deployment.
The flaws also impact end-of-life ADC / Gateway 12.1 (non-FIPS) and ADC / Gateway 13.0, which will not be receiving patches. Organizations using these versions should upgrade to an actively supported release as soon as possible.
Beaumont's internet scans have revealed over 56,500 publicly exposed NetScaler ADC and Gateway endpoints, although the percentage of those running versions vulnerable to CVE-2025-5349 and CVE-2025-5777 is currently unknown.
The discovery of CitrixBleed 2 highlights the ongoing importance of vulnerability management and patching in modern IT environments. As threat actors continue to exploit vulnerabilities, it's essential for organizations to prioritize security updates and take proactive measures to protect their networks and user sessions.
Summary:
A new vulnerability dubbed "CitrixBlead 2" has been identified in Citrix NetScaler ADC and Gateway solutions, allowing unauthenticated attackers to hijack user sessions. This critical flaw is similar to an older exploited vulnerability known as CitrixBleed (CVE-2023-4966) and impacts versions before 14.1-43.56, 13.1-58.32, and later releases of the software. Organizations using affected versions are advised to patch urgently and take steps to protect their users' identities.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Vulnerability-in-NetScaler-ADC-and-Gateway-Allows-Hackers-to-Hijack-Sessions-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-citrixbleed-2-netscaler-flaw-let-hackers-hijack-sessions/
https://nvd.nist.gov/vuln/detail/CVE-2023-4966
https://www.cvedetails.com/cve/CVE-2023-4966/
https://nvd.nist.gov/vuln/detail/CVE-2025-5349
https://www.cvedetails.com/cve/CVE-2025-5349/
https://nvd.nist.gov/vuln/detail/CVE-2025-5777
https://www.cvedetails.com/cve/CVE-2025-5777/
Published: Wed Jun 25 11:59:35 2025 by llama3.2 3B Q4_K_M
