The new critical vulnerability CVE-2025-5777, nicknamed Citrix Bleed 2 and as explained by the team of Amber Solutionsaffects NetScaler ADC and Gateway. It is a failure of reading out-of-bounds memory (out-of-bounds read) that allows unauthenticated attackers to access sensitive data stored in memory, such as session tokens, credentials and even evade MFA. The fault has been associated with the famous Citrix Bleed original (CVE-2023-4966) for its technical similarity.
What is being exploited actively?
Although Citrix said in his blog on June 27, that there is no evidence of exploitationthe signature ReliaQuest secured with medium confidence you already are watching attacks in real-world environments. This kind of contradiction between the supplier and the research community often precede broader campaigns. According to ReliaQuest, have been detected sessions Citrix abducted without user interaction, reuse of sessions between IPs legitimate and malicious, and recognition activity post-exploitation using tools such as ADExplorer64.exe and LDAP queries, which indicates an active campaign of initial access, and lateral movement.
Input vectors and techniques observed in Citrix Bleed 2
- Hijack sessions with tokens stolen.
- Bypass MFA using memory exposed.
- Use of VPNs commercial (such as DataCamp) to hide infrastructure attacker.
- Internal recognition via Active Directory once inside
Malware and actors involved
Has not attributed the attack to a group or specific malware by now, but the level of sophistication suggests that actors advanced you are behind. It is not ruled out that actors known for exploiting Citrix in the past, as APT5 or FIN11, can be related, given the nature of the vector.
Historical context
This case replicates patterns seen in attack of 2023 with Citrix Bleed, where also were the kidnapping of sessions and unauthorized access. What is worrying is that, despite the lessons of past, the same attack surface continues to be viable.
Recommendations urgent
- Update versions 14.1-43.56+, 13.1-58.32+ or 13.1-FIPS/NDcPP 13.1-37.235+.
- Finish all ICA sessions and PCoIP active commands
kill icaconnection -allandkill pcoipconnection -all. - Review sessions before closing (
show icaconnection) to detect anomalous activity. - In case of not being able to patch immediately, limit external access to NetScaler via ACLs or firewalls.
How you can help Amber Solutions?
This type of incident falls squarely on our services incident response, forensic analysis and vulnerability management. In addition, our exercises penetration testing could have detected vectors similar before they were exploited.
We also offer services of monitoring CTI proactive, which allows to detect campaigns emerging before they have a real impact. Remember: a vulnerability is not patched today can be a gap tomorrow.
In Amber Solutions we will help you to avoid the Citrix Bleed 2 before blood to your infrastructure.
And yes, Citrix Bleed 2 is already being exploited in targeted attacks. Are you going to expect you to be the next?
