The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw affecting the Citrix Netscaler ADC, and its gateway to its known exploited vulnerability (KEV) catalog officially confirmed that the vulnerability has been weaponized in the wild.
The drawback of the problem is CVE-2025-5777 (CVSS score: 9.3). This is when there is insufficient input validation that can be exploited by an attacker to bypass authentication when the appliance is configured as a gateway or an AAA virtual server. It is also known as Citrix Bleed 2 due to its similarity to Citrix Bleed (CVE-2023-4966).
“The Citrix Netscaler ADC and Gateway contain out-of-range read vulnerabilities due to insufficient input validation,” the agency said. “This vulnerability can lead to memory overreads when Netscaler is configured as a Gateway (VPN Virtual Server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.”
Since then, several security vendors have reported that flaws have been exploited in real attacks, but Citrix has yet to update its own advisory to reflect this aspect. As of June 26, 2025, Anil Shetty, Senior Vice President of Engineering at Netscaler, said “There is no evidence to suggest the exploitation of CVE-2025-5777.”
However, security researcher Kevin Beaumont said in a report published this week that Citrix Bleed 2 exploitation dates back to mid-June, with one of the IP addresses carrying out the attacks being previously linked to Ransomhub ransomware activity.
Greynoise’s data shows it comes from 10 unique malicious IP addresses in Bulgaria, the US, China, Egypt and Finland over the past 30 days. The main goals of these efforts are the US, France, Germany, India and Italy.
Adding CVE-2025-5777 to the KEV catalog is also a result of another defect in the same product (CVE-2025-6543, CVSS score: 9.2). CISA added a flaw to its KEV catalog on June 30, 2025.
The term “Citrix Bleed” is used to allow repeated triggering memory leaks by sending the same payload. Each attempt attempts to effectively “bleed” sensitive information.
“This flaw can have disastrous consequences considering that the affected devices can be configured as VPNs, proxys, or AAA virtual servers. It allows for the disclosure of session tokens and other sensitive data.
These appliances often act as centralized entry points for enterprise networks, allowing attackers to pivot from stolen sessions to access a single sign-on portal, cloud dashboard, or privileged management interfaces. This type of lateral movement is particularly dangerous in hybrid IT environments where internal segmentation is weak when scaffolding becomes complete network access immediately.
To mitigate this defect, organizations must immediately upgrade to patched builds listed in Citrix’s June 17th Advisory, including versions 14.1-43.56 or later. After patching, all active sessions, especially those authenticated via AAA or gateway, must be killed to invalidate the stolen token.
Administrators also recommend that you inspect the logs (such as ns.log) for suspicious requests to authentication endpoints such as /p/u/doauthentication.do and check for answers to unexpected XML data such as fields. The vulnerability is memory overreading and leaves no traces of traditional malware. Create a token hijack and the session plays the most urgent concerns.
The development follows reports of aggressive exploitation of critical security vulnerabilities in Osgeo Geoserver Geotools (CVE-2024-36401, CVSS score: 9.8) and deploys Netcat and Xmrig Cryptocurrency Miner in attacks targeting South Korea with Powershell and Shell Scripts. CISA added a flaw to its KEV catalog in July 2024.
“Threat actors target environments with vulnerable Geoserver installations, including Windows and Linux, and have NetCat and Xmrig Coin Miner installed,” says Ahnlab.
“When Coin Miner is installed, it uses the system’s resources to minify the threat actor Monero Coins. Threat actors can use the installed NetCat to perform a variety of malicious behaviors, including installing other malware and stealing information from the system.”
Source link
