A critical new vulnerability dubbed “CitrixBleed 2” is being actively
exploited by cybercriminals, marking a dangerous return of session hijacking
attacks that plagued organizations in 2023. The critical flaw, tracked as
CVE-2025-5777, allows remote attackers to steal session tokens and
bypass multi-factor authentication (MFA) without any authentication required.
ReliaQuest published a
report
in which it claimed “with medium confidence” that attackers are actively
exploiting CVE-2025-5777 to gain initial access to targeted environments. The
cybersecurity firm identified multiple indicators of compromise, including
hijacked Citrix sessions, unauthorized authentication grants, and suspicious
session reuse across multiple IP addresses.
How CitrixBleed 2 Works
The vulnerability stems from insufficient input validation in Citrix NetScaler
ADC and Gateway devices, leading to an out-of-bounds memory read. Like
CitrixBleed (CVE-2023-4966), it may allow unauthorized attackers to grab valid
session tokens from the memory of internet-facing Netscaler devices by sending
a malformed request.
What makes this particularly dangerous is the scope of exposure. Security
researcher Kevin Beaumont, who coined the “CitrixBleed 2” moniker,
discovered
that over 50,000 potentially vulnerable instances are exposed to the internet
through Shodan searches using the favicon hash -1292923998,-1166125415.
The vulnerability affects NetScaler devices configured as Gateway or AAA
virtual servers—common setups for remote access in enterprise
environments.
Initially, Citrix’s advisory mentioned only the management interface, but the
company later updated the description to include these broader configurations,
significantly expanding the attack surface.
Escalated Threat: Session Tokens vs. Cookies
Unlike session cookies, which are often tied to short-lived browser sessions,
session tokens are typically used in broader authentication frameworks, such
as API calls or persistent application sessions, according to ReliaQuest
researchers.
This distinction makes CitrixBleed 2 potentially more severe than its
predecessor, as attackers can maintain access longer and operate across
multiple systems even after users terminate their browser sessions.
The vulnerability carries a critical CVSS score of 9.3 and affects NetScaler
ADC and Gateway versions from 14.1 before 47.46 and from 13.1 before 59.19.
While Citrix initially stated they were not aware of in-the-wild exploitation
at the time of disclosure, ReliaQuest’s evidence-based assessment suggests
active exploitation is likely occurring, adding urgency to patching efforts.
Immediate Action Required
Organizations running vulnerable NetScaler devices should immediately apply
the latest patches and terminate all active sessions. Citrix specifically
recommends running these commands after upgrading:
kill icaconnection -all kill pcoipConnection -all
Security teams can identify vulnerable internet-facing devices using Shodan
searches with organization-specific filters like org:YourOrg
http.favicon.hash:-1292923998,-1166125415 or ssl:YourOrg html:Citrix.
Broader Industry Impact
This marks the second major Citrix vulnerability under active exploitation
this week, following CVE-2025-6543, which Citrix confirmed is being exploited
in the wild. The pattern mirrors the 2023 CitrixBleed campaign that was
extensively exploited by ransomware groups and state-sponsored actors.
With evidence mounting for active exploitation and tens of thousands of
vulnerable devices exposed, security experts warn that CitrixBleed 2 could
trigger another wave of high-profile breaches. Organizations should prioritize
immediate patching and implement additional monitoring for unusual session
activity, particularly authentication from unexpected IP addresses or rapid
session reuse patterns.
