{"id":14357,"date":"2025-06-30T11:28:09","date_gmt":"2025-06-30T11:28:09","guid":{"rendered":"https:\/\/newestek.com\/?p=14357"},"modified":"2025-06-30T11:28:09","modified_gmt":"2025-06-30T11:28:09","slug":"patch-now-citrix-bleed-2-vulnerability-actively-exploited-in-the-wild","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14357","title":{"rendered":"Patch now: Citrix Bleed 2 vulnerability actively exploited in the wild"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Citrix users are back in the crosshairs, as a new out-of-bounds read vulnerability, reminiscent of the notorious \u201cCitrix Bleed,\u201d has surfaced with signs already pointing to active exploitation.<\/p>\n<p>The vulnerability tracked as CVE-2025-5777 and dubbed \u201cCitrix Bleed 2\u201d by the researchers, is an insufficient input validation issue affecting Citrix NetScaler ADC and NetScaler Gateway devices, leading to memory overread as described by a recent Citrix <a href=\"https:\/\/support.citrix.com\/support-home\/kbsearch\/article?articleNumber=CTX693420\" target=\"_blank\" rel=\"noreferrer noopener\">advisory<\/a>.<\/p>\n<p>According to a ReliaQuest research, the flaw might already be allowing attackers to hijack user sessions and bypass MFA authentication. \u201cWhile no public exploitation of CVE-2025-5777 has been reported, ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments,\u201d the researchers said in a blog post.<\/p>\n<p>The cybersecurity outfit is urging Citrix customers to immediately patch the affected systems and follow necessary additional steps outlined by the company to secure against ongoing exploitation.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Token theft via out-of-bounds memory read<\/h2>\n<p>The vulnerability, assigned a critical severity rating of CVSS 9.3 out of 10, stems from insufficient input validation, enabling attackers to perform an out-of-bounds memory read on NetScaler devices configured as Gateway or Authentication, Authorization, and Accounting (AAA) virtual servers.<\/p>\n<p>The flaw mirrors the original <a href=\"https:\/\/www.csoonline.com\/article\/657085\/citrix-urges-immediate-patching-of-critically-vulnerable-product-lines.html\">Citrix Bleed<\/a> denial-of-service (DoS) vulnerability in that it enables a memory leak, as with simple HTTP requests previously.<\/p>\n<p>Unlike traditional session cookie theft tactics, which include cross-site scripting (<a href=\"https:\/\/www.csoonline.com\/article\/565192\/what-is-xss-cross-site-scripting-attacks-explained.html?utm=hybrid_search\">XSS<\/a>) and man-in-the-middle (<a href=\"https:\/\/www.csoonline.com\/article\/566905\/man-in-the-middle-attack-definition-and-examples.html?utm=hybrid_search\">MITM<\/a>) attacks, Citrix Bleed 2 targets session tokens, which are often used for APIs and persistent authentication. These tokens can be stolen and reused to bypass MFA and maintain access, even after legitimate users have signed off.<\/p>\n<p>Well-known British cybersecurity researcher and threat analyst Kevin Beaumont colorfully <a href=\"https:\/\/doublepulsar.com\/citrixbleed-2-electric-boogaloo-cve-2025-5777-c7f5e349d206\" target=\"_blank\" rel=\"noreferrer noopener\">compared<\/a> the flaw to \u201cKanye West returning to Twitter,\u201d the same old chaos but louder.<\/p>\n<p>Citrix released patches on June 17 for versions 14.1, 13.1, and equivalent FIPS\/NDcPP builds. Versions 12.1 and 13.0 are EOL, and an upgrade is mandatory.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Indications of real-world exploitation<\/h2>\n<p>ReliaQuest researchers <a href=\"https:\/\/reliaquest.com\/blog\/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices\/\">said<\/a> that, in multiple incidents, attackers were seen hijacking active Citrix web sessions and bypassing multi-factor authentication (MFA) without requiring user credentials. The research also highlighted \u201csession reuse across multiple IPs, including combinations of expected and suspicious IPs.\u201d<\/p>\n<p>In compromised environments, attackers proceeded with post-authentication reconnaissance, issuing lightweight directory access protocol (LDAP) queries and running tools like ADExplorer64.exe to map out Active Directory structures.<\/p>\n<p>\u201cMultiple instances of the \u201cADExplorer64.exe\u201d tool across the environment, querying domain-level groups and permissions and connecting to multiple domain controllers, were observed,\u201d researchers added. Additionally, many of the malicious sessions originated from consumer VPN services and data center IPs, which further obscured the attackers\u2019 identities while maintaining persistence inside networks.<\/p>\n<p>Apart from applying the patches, organizations are also advised to audit external NetScaler exposure (via tools like Shodan) and implement network ACLs or access restrictions until fully patched. After successful patching, Citrix advised admins to terminate all active ICA and PCoIP sessions for an added layer of protection.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Citrix users are back in the crosshairs, as a new out-of-bounds read vulnerability, reminiscent of the notorious \u201cCitrix Bleed,\u201d has surfaced with signs already pointing to active exploitation. The vulnerability tracked as CVE-2025-5777 and dubbed \u201cCitrix Bleed 2\u201d by the researchers, is an insufficient input validation issue affecting Citrix NetScaler ADC and NetScaler Gateway devices, leading to memory overread as described by a recent Citrix&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14357\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14357","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14357","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14357"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14357\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14357"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14357"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14357"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}