New critical vulnerability in Citrix NetScaler, dubbed CitrixBleed 2 (CVE-2025-5777), allows unauthenticated attackers to steal active sessions and evade MFA. Affected devices that are exposed as Gateways and reminds the bug exploited in 2023 by actors of threats funded by states and operators of ransomware. It is recommended to patch immediately and terminate all active sessions.
Keypoints
Citrix has revealed a new critical vulnerability in NetScaler ADC and Gateway that is being dubbed CitrixBleed 2 (CVE-2025-5777), for its resemblance to the infamous CVE-2023-4966 (CitrixBleed original). The flaw allows unauthenticated attackers to perform readings beyond the limits of memory, exposing session tokens, credentials and other sensitive data. The exploitation of this vulnerability can result in session hijacking, and the omission of multifactor authentication (MFA).
In parallel, it revealed a second vulnerability of high-severity vulnerability (CVE-2025-5349) related to access control inappropriate to the management interface, accessible by using IPs administration (NSIP, Cluster IP, GSLB IP).
Input vectors
- Devices NetScaler configured as Gateway: VPN virtual, ICA Proxy, Clientless VPN, RDP or Proxy AAA virtual server.
- Access to the IPs management for the exploitation of CVE-2025-5349.
- Public exhibition: have detected more than 56,500 endpoints NetScaler accessible from the internet, according to Kevin Beaumont.
Details about the campaign and precedents
Although not yet confirmed active exploitation (in the wild), experts such as Charles Carmakal (Mandiant), and Kevin Beaumont warn you not to follow good practices in post-patch (like delete active sessions) could leave vector open, as happened in 2023 with CitrixBleed, which was used in the campaigns of state spying and ransomware.
Potential attribution
Although it has not been attributed to this new vulnerability to specific actors, historically the CitrixBleed original was exploited by groups funded by the united and groups of ransomwarefor what is presumed a similar interest in this new variant.
Historical context
The CitrixBleed original (CVE-2023-4966) left a deep mark in the community to be exploited even after the patch due to active sessions are not terminated. History repeats itself, and now CitrixBleed 2 could give way to a new wave of attacks if you do not act with haste.
Recommendations Amber Solutions
This case represents an incident safety-critical, ideal for our management service vulnerabilities and incident response. In addition, it would be key to apply services penetration testing to validate the actual exposure and consulting hardening in Citrix environments.
Amber Solutions it can help you avoid scenarios such as CitrixBleed 2 implementing intrusion tests for specific devices NetScaler, audits, configuration of gateways, and access controls, and traffic analysis for proactive detection of session hijacking.
If your organization uses Citrix, it is time to take action: check your versions, apply the patches recommended, and terminates all active sessions. And remember: CitrixBleed 2 does not forgive the lack of proactivity.
