CitrixBleed 2 (CVE-2025-5777), a critical information-disclosure vulnerability, impacts NetScaler ADC and Gateway systems. The flaw lets unauthorized attackers bypass multi-factor authentication (MFA), hijack active NetScaler admin sessions, and establish unauthorized Citrix Virtual Desktop Environment (VDE) sessions. Like its predecessor, the original CitrixBleed (CVE-2023-4966), this vulnerability poses a significant risk to organizations using these critical network components.
Understanding CitrixBleed 2
CitrixBleed 2 (CVE-2025-5777), an out-of-bounds read flaw, earned a critical CVSS score of 9.3. Insufficient input validation within NetScaler ADC and Gateway devices allows attackers to extract sensitive data from the memory of Internet-facing systems. Attackers can steal valid session tokens, critical for maintaining authenticated access.
Security researcher Kevin Beaumont named the flaw “CitrixBleed 2,” highlighting its direct lineage and operational similarities to the original CitrixBleed. Both vulnerabilities exploit information disclosure, compromising user and administrative sessions and underscoring a persistent challenge in securing Citrix environments.
Zero-Day Exploitation of CitrixBleed 2
An unnamed Advanced Persistent Threat (APT) group exploited CitrixBleed 2 in the wild before Citrix released a patch on June 17, 2025. This pre-disclosure exploitation classifies CitrixBleed 2 as a zero-day, meaning threat actors actively leveraged the flaw before a fix was available. Patching zero-day vulnerabilities remains a continuous industry effort. Amazon’s threat intelligence team independently corroborated these findings, detecting zero-day exploit activity through its extensive honeypot network. Researchers like Kevin Beaumont warned of active exploitation a month before public disclosure, emphasizing the urgency of the threat. ReliaQuest observed active exploitation aimed at gaining initial access to targeted environments. GreyNoise telemetry showed activity as early as July 1st, 2025.
For more details on APT groups and their methods, refer to the article: Unnamed APT Exploits Zero-Days in Citrix and Cisco, Targeting Critical Infrastructure.
How CitrixBleed 2 Works and Its Impact
CitrixBleed 2 allows attackers to access and steal session-related data, particularly the NSC_AAAC token. Attackers ‘spray’ the doAuthentication.do endpoint to find valid cookies, granting them access to any NetScaler session. Beyond specific tokens, exposed RAM contains other sensitive information attackers can exfiltrate.
Successful exploitation carries severe consequences:
- Attackers bypass multi-factor authentication, a fundamental security layer.
- Attackers hijack active NetScaler administrative sessions, gaining full control.
- Threat actors establish their own Citrix Virtual Desktop Environment sessions, accessing internal resources.
This unauthorized access can lead to widespread network compromise, data exfiltration, and persistent footholds within critical infrastructure. The vulnerability holds significant potential for misuse in cyber warfare and digital espionage, enabling sophisticated actors to achieve strategic objectives.
Detecting CitrixBleed 2 Exploitation
Organizations must identify signs of potential CitrixBleed 2 exploitation. ReliaQuest highlights key indicators:
- Hijacked Citrix Web sessions on NetScaler devices, with authentication occurring without user knowledge.
- Compromised sessions reused across multiple IP addresses.
- Citrix sessions originating from data center-hosting IP addresses, often indicating attackers used consumer VPN services.
- Unusual LDAP queries suggest Active Directory (AD) reconnaissance.
- The
ADExplorer64.exetool present in the environment, commonly used for analyzing AD structures.
Monitoring for these anomalies helps detect ongoing or past compromises.
Mitigation and Ongoing Vigilance
Apply the security patches Citrix released on June 17, 2025, for CitrixBleed 2 (CVE-2025-5777). Because of its zero-day exploitation, systems patched promptly may still have been compromised. Organizations must conduct thorough investigations of their NetScaler ADC and Gateway systems, even after applying patches.
Beyond patching, a comprehensive review of identity and access management (IAM) systems is essential. This includes analyzing logs for the indicators of compromise listed above, enforcing strong session management policies, and revoking potentially compromised sessions and credentials. Regular auditing and proactive threat hunting are vital for maintaining security against evolving threats like CitrixBleed 2.
For a deeper dive into session hijacking and MFA bypass techniques, explore: CitrixBleed: Critical Flaw Leads to Session Hijacking and MFA Bypass.