Related Posts
- Advertisement -
- Citrixbleed 2 was discovered at the end of June 2025
- Most cases have not yet been patched
- Security researchers warn that the bug will probably already be operated
Citrixbleed 2, a vulnerability in Citrix Netscaler ADC and Netscaler Gateway, is now actively operated in the wild, have warned several researchers.
Security researchers Recently found a vulnerability of critical display In these cases, threat factors can hijack the user sessions and gain access to targeted environments.
The error, described as insufficient vulnerability for import validation that leads to memory overview, is followed as CVE-2025-5777 and influences Device versions 14.1 and before 47.46, and from 13.1 and before 59.19. Given the resemblance to an earlier Citrix vulnerability called Citrixbleed, security researchers called Citrixbleed 2.
(No) proof of abuse
A patch was made available shortly thereafter, but apparently most cases are not yet patched and threat actors benefit from that fact. Multiple security researchers, including Reliaquest, Watchtowr and Horizon3.ai, have warned users about continuous exploitation campaigns.
The register Notes Watchtowr Labs found a “significant part of the Citrix Netscaler user base” not yet patched against Citrixbleed 2, and for everyone to do this, because the bug is “trivial” to operate.
“We previously stated that we were not going to release this vulnerability analysis,” the researchers said. However, “minimal” information about the error “brings these users into a difficult position when determining whether they should make an internal alarm sound.”
Shortly thereafter, Horizon3.ai said “Dreursactors will probably also include it in their toolkits.”
At the same time, Citrix issues mixed signals whether the bugs in the wild are actually exploited. The company leads all the media questions to a blog post in which the issue is discussed, in which it says: “There are currently no evidence to suggest exploitation of CVE-2025-5777.”
In the FAQ of the same blog post, however, it also said “immediate installation of the recommended updates is crucial because of the identified severity of this vulnerability and proof of active exploitation.” It is left somewhat vague if this answer relates to Citrixbleed 2, or another vulnerability.
Finally, elsewhere in the FAQ: “We are currently not aware of any proof of exploitation for CVE-2025-5349 or CVE-2025-5777.”
We would advise everyone to solve, simply to be on the safe side, especially since Citrixbleed was abused by nation states in very focused attacks.
Maybe you like it too
- Advertisement -
