Citrix claimed that Citrix Bleed 2 was not being actively exploited, which ultimately did happen.
Researchers have published proof-of-concept (PoC) exploits for a critical vulnerability in Citrix NetScaler, known as CVE-2025-5777 and called Citrix Bleed 2. The flaw is said to be easy to exploit.
Exploited or not?
Citrix Bleed 2 allows attackers to retrieve memory contents from NetScaler devices via POST requests. According to a source from Bleeping Computer, approximately 127 bytes of data leak with each request. This way, attackers can execute repeated HTTP requests until they eventually find sensitive data.
According to Citrix itself, the vulnerability is not being actively exploited, but experts claim otherwise. There are said to be clear signs of attacks found in the log files. The situation is reminiscent of the earlier Citrix Bleed vulnerability from 2023. That was then widely exploited by ransomware groups and espionage groups, often because systems were not patched in time.
Citrix has meanwhile rolled out security updates and advises users to apply them immediately. Additionally, users should check their existing sessions for suspicious activity and manually terminate them. The latter can never hurt with active exploits in circulation.