Key Points

Citrix released an advisory for CVE-2025-5777 affecting NetScaler ADC and Gateway devices, allowing attackers to hijack user sessions and bypass authentication.

While no public reporting of exploitation for this vulnerability has emerged, ReliaQuest has observed indications of exploitation to gain initial access.

Citrix recommends patching affected systems to the latest versions and terminating active sessions to mitigate session hijacking and further risks of exploitation.

On June 17, 2025, Citrix released an advisory detailing two vulnerabilities impacting NetScaler ADC and NetScaler Gateway.

  • CVE-2025-6543 (CVSS 9.3), a denial-of-service (DoS) vulnerability, has reportedly been actively exploited.

  • CVE-2025-5777 (CVSS 9.2), an out-of-bounds read vulnerability reminiscent of the infamous “Citrix Bleed” (CVE-2023-4966), exposes session tokens that allow attackers to bypass authentication mechanisms, including multifactor authentication (MFA).

While no public exploitation of CVE-2025-5777, dubbed “Citrix Bleed 2,” has been reported, ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments.

Observed Exploitation Activity

ReliaQuest has observed indicators that may suggest exploitation of Citrix NetScaler Gateway vulnerabilities to gain initial access:

  • Hijacked Citrix web session from the NetScaler device. Authentication was granted without user knowledge, indicating MFA bypass.

  • Session reuse across multiple IPs, including combinations of expected and suspicious IPs.

  • LDAP queries associated with Active Directory reconnaissance activities.

  • Multiple instances of the “ADExplorer64.exe” tool across the environment, querying domain-level groups and permissions and connecting to multiple domain controllers.

  • Citrix sessions originating from data-center-hosting IP addresses, such as those associated with DataCamp, suggesting the use of consumer VPN services.

The Original Citrix Bleed

In 2023, a vulnerability known as “Citrix Bleed” gained notoriety for its significant impact on Citrix NetScaler ADC and Gateway appliances. The flaw allowed attackers to extract session cookies directly from memory, enabling them to bypass MFA and hijack user sessions. Ransomware gangs and advanced persistent threat (APT) groups exploited the vulnerability on a massive scale, infiltrating networks, moving laterally, and disrupting operations with unprecedented precision.

Citrix Bleed emphasized the risks of unpatched systems, leaving organizations scrambling to secure their networks. While Citrix released patches to address the flaw, many remained vulnerable due to outdated appliances and improper session termination. To this day, Citrix Bleed continues to be exploited, proving that the flaw is far from forgotten by threat actors.

Now, Citrix Bleed 2 has emerged, building on the legacy of its predecessor.

What Is Citrix Bleed 2?

Like its forerunner, Citrix Bleed 2 enables attackers to extract authentication data from memory—this time using out-of-bounds memory reads to steal tokens. These tokens allow attackers to bypass MFA and hijack user sessions, granting unauthorized access to sensitive systems.

Citrix Bleed 2 mirrors the original in its ability to bypass authentication and facilitate session hijacking, but it introduces new risks by targeting session tokens instead of session cookies. Unlike session cookies, which are often tied to short-lived browser sessions, session tokens are typically used in broader authentication frameworks, such as API calls or persistent application sessions.

This means that attackers could potentially maintain access longer and operate across multiple systems without detection, even after the user has terminated the browser session.

Update Guidance

Citrix advises customers of NetScaler ADC and NetScaler Gateway to install the following versions as soon as possible:

  • NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases

  • NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1

  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP

Additionally, Citrix advises them to execute the following commands to terminate active ICA and PCoIP sessions after patches have been applied:

  • kill icaconnection -all

  • kill pcoipConnection -all

Lastly, it is important to note that NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are end of life and customers are urged to upgrade to supported versions as soon as possible.

Recommended Mitigations

  • Restrict Access: Build network access control lists (ACLs) or firewall rules to limit access to vulnerable servers until patches are applied.

  • Monitor Anomalous Activity: Pay close attention to external connections and behaviors that may indicate exploitation attempts. This includes reuse of Citrix Netscaler sessions and webserver logs with HTTP requests with abnormal lengths of characters. For example, Citrix Bleed exploitation involved an HTTP GET request to the endpoint “/oauth/idp/.well-known/openid-configuration HTTP/1.1,” with the "Host" header containing 24,812 characters.