Security researchers warn that Citrix Bleed 2 may already be actively exploited by hackers to gain access to corporate networks.
Security researchers from Reliaquest warn of active exploitation of CVE-2025-5777. This bug dates back to June 17. Citrix has since provided a patch, but that does not mean the update has been widely deployed. The vulnerability has the potential to become a follow-up to Citrix Bleed.
CVE-2025-5777 allows attackers to capture session tokens through an out-of-bounds memory read. This enables them to bypass multi-factor authentication and hijack user sessions.
Indications of Exploitation
Although there is no public evidence of widespread exploitation, ReliaQuest reports signs indicating active exploitation. For instance, Citrix sessions were hijacked without users noticing. In some cases, the same session was reused from different IP addresses, indicating session theft.
read also
Citrix Vulnerabilities Evoke Unpleasant Memories
It was also noted that LDAP queries were executed for Active Directory exploration and that tools like “ADExplorer64.exe” appeared on multiple systems. Attacks may partly occur via VPN services, making it more difficult to trace the origin.
Urgent Patching
The situation strongly resembles the previous Citrix Bleed vulnerability from 2023, which was widely exploited by ransomware and espionage groups, often because systems were not patched in time.
Citrix advises organizations to immediately update their NetScaler ADC and Gateway devices to the latest versions. Active sessions should also be terminated to prevent stolen tokens from granting access. Versions 12.1 and 13.0 are no longer supported and should be replaced with a recent version.
ReliaQuest recommends companies to closely monitor their network logs for suspicious sessions and unusual HTTP requests. As with the first Citrix Bleed, a simple GET request with abnormally long headers can indicate an attempt at exploitation. Additionally, restrict access to vulnerable systems through network rules until updates are implemented.