A critical NetScaler ADC and Gateway vulnerability dubbed “Citrix Bleed 2” (CVE-2025-5777) is now likely exploited in attacks, according to cybersecurity firm ReliaQuest, seeing an increase in suspicious sessions on Citrix devices.

Citrix Bleed 2, named by cybersecurity researcher Kevin Beaumont due to its similarity to the original Citrix Bleed (CVE-2023-4966), is an out-of-bounds memory read vulnerability that allows unauthenticated attackers to access portions of memory that should typically be inaccessible.

This could allow attackers to steal session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers, enabling them to hijack user sessions and bypass multi-factor authentication (MFA).

Citrix’s advisor also confirms this risk, warning users to end all ICA and PCoIP sessions after installing security updates to block access to any hijacked sessions.

The flaw, tracked as CVE-2025-5777, was addressed by Citrix on June 17, 2025, with no reports of active exploitation. However, Beaumont warned about the high likelihood of exploitation earlier this week.

The researcher’s worries now seem justified, as ReliaQuest says with medium confidence that CVE-2025-5777 is already being leveraged in targeted attacks.

“While no public exploitation of CVE-2025-5777, dubbed “Citrix Bleed 2,” has been reported, ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments,” warns ReliaQuest.

This conclusion is based on the following observations from actual attacks seen recently:

• Hijacked Citrix web sessions were observed where authentication was granted without user interaction, indicating attackers bypassed MFA using stolen session tokens.
• Attackers reused the same Citrix session across both legitimate and suspicious IP addresses, suggesting session hijacking and replay from unauthorized sources.
• LDAP queries were initiated post-access, showing that attackers performed Active Directory reconnaissance to map users, groups, and permissions.
• Multiple instances of ADExplorer64.exe ran across systems, indicating coordinated domain reconnaissance and connection attempts to various domain controllers.
• Citrix sessions originated from data center IPs associated with consumer VPN providers like DataCamp, suggesting attacker obfuscation via anonymized infrastructure.

The above is consistent with post-exploitation activity following unauthorized Citrix access, reinforcing the assessment that CVE-2025-5777 is being exploited in the wild.

To protect against this activity, potentially impacted users should upgrade to versions 14.1-43.56+, 13.1-58.32+, or 13.1-FIPS/NDcPP 13.1-37.235+ to remediate the vulnerability.

After installing the latest firmware, admins should terminate all active ICA and PCoIP sessions, as they may have already been hijacked.

Before killing active sessions, admins should first review them for suspicious activity using the show icaconnection command and  NetScaler Gateway > PCoIP > Connections.

After reviewing the active sessions, admins can then terminate them using these commands:

kill icaconnection -all
kill pcoipconnection -all

If the immediate installation of security updates is impossible, it is recommended that external access to NetScaler be limited via network ACLs or firewall rules.

In response to our questions as to whether CVE-2025-5777 is being actively exploited, Citrix referred us back to a blog post published yesterday where they state that they see no signs of exploitation.

“Currently, there is no evidence to suggest exploitation of CVE-2025-5777,” reads the Citrix post.

However, another Citrix vulnerability, tracked as CVE-2025-6543 is being exploited in attacks to cause a denial of service condition on NetScaler devices.

Citrix says that this flaw and the CVE-2025-5777 flaw are in the same module but are different bugs.

Update 6/27/25: Added information about Citrix’s blog post.