Threat Insight

CitrixBleed 2

A critical out-of-bounds read vulnerability in Citrix NetScaler ADC and Gateway has recently been confirmed to be actively exploited in the wild. It stems from insufficient input validation when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

2025-07-11
Insight

Successful exploitation could allow leakage of sensitive memory data, including authentication tokens and session cookies.
Attackers can use these leaks to:

Hijack active VPN sessions
Bypass MFA (Multi-Factor Authentication)
Access internal systems without credentials

An attacker could send specially crafted HTTP requests to a vulnerable Citrix appliance. The appliance responds with chunks of memory containing session data. Using leaked session tokens, attackers impersonate valid users.

CVE

CVE‑2025‑5777

Affected Products

(NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.)

NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS

Exploitation

The vulnerability has recently been added to the CISA database of known exploited vulnerabilities. A proof-of-concept (PoC) is publicly available, further increasing the risk of exploitation.

Threat Actor

In a Medium article authored by Kevin Beaumont, he reports that one of the IP addresses associated with exploitation of this vulnerability had previously been linked to the RansomHub ransomware group by CISA during last year.

Recommended Actions

We strongly recommend upgrading to the relevant patched versions as soon as possible.

NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS

Running these following commands to terminate all active ICA and PCoIP sessions after all NetScaler appliances in the HA pair or cluster have been upgraded to the fixed builds:

kill icaconnection -all

kill pcoipConnection -all

References

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-adds-one-known-exploited-vulnerability-catalog
https://github.com/mingshenhk/CitrixBleed-2-CVE-2025-5777-PoC- https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71