The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a newly discovered Citrix NetScaler ADC and Gateway vulnerability, identified as CVE-2025-5777, to its Known Exploited Vulnerabilities (KEV) catalog.
This flaw, nicknamed "CitrixBleed 2" and carrying a CVSS v4.0 base score of 9.3, allows unauthenticated attackers to steal session cookies. It resembles a previous critical issue and stems from insufficient input validation, leading to a memory overread. The vulnerability affects NetScaler devices configured as Gateway (such as VPN virtual servers, ICA Proxy, CVPN, or RDP Proxy) or as AAA virtual servers.
The issue impacts the following supported versions:
- NetScaler ADC 12.1-FIPS prior to 12.1-55.328-FIPS
- NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-43.56
- NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-58.32
- NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.235-FIPS and NDcPP
Security researcher Kevin Beaumont drew comparisons between this flaw and CVE-2023-4966, widely known as CitrixBleed. He explained that CVE-2025-5777 allows attackers to extract memory from NetScaler devices used in common remote access setups, potentially revealing sensitive data like session tokens. These tokens can be replayed to hijack sessions and bypass multi-factor authentication, replicating the same risks posed by the original CitrixBleed exploit.
Beaumont's scans using Shodan detected more than 56,500 exposed NetScaler ADC and Gateway endpoints, though it is unclear how many are actually vulnerable to CVE-2025-5777.
Citrix also addressed another high-severity vulnerability, tracked as CVE-2025-5349, which affects the management interface of NetScaler. This flaw is caused by improper access control and becomes exploitable when attackers can reach the NSIP, Cluster IP, or Local GSLB IP. Users are urged to update their devices to patched versions to reduce exposure.
Beaumont reported that attacks leveraging CitrixBleed 2 began in mid-June. At least one IP address involved has been linked to the RansomHub group. GreyNoise has tracked 10 malicious IPs from five countries targeting the U.S., France, Germany, India, and Italy over the past 30 days.
While Citrix credits Positive Technologies and ITA MOD CERT for contributing to the discovery of two vulnerabilities, the individual responsible for identifying CVE-2025-5777 has not been publicly confirmed.
After applying the necessary updates, Citrix advises users to run commands that terminate all active ICA and PCoIP sessions to fully mitigate the risk.
Under Binding Operational Directive (BOD) 22-01, federal agencies must resolve these vulnerabilities by the specified deadline to safeguard their networks. The deadline to fix the issue is July 11, 2025. Experts also encourage private organizations to review the KEV catalog and secure their systems accordingly.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
