“`html
Significant vulnerability in Citrix NetScaler devices mirrors the notorious 2023 security incident that incapacitated major enterprises globally.
The newly discovered critical flaw in Citrix NetScaler devices has cybersecurity professionals alerting about the risk of extensive exploitation, drawing distressing parallels to the destructive “CitrixBleed” incidents that afflicted organizations in 2023.
This vulnerability, identified as CVE-2025-5777 and referred to as “CitrixBleed 2,” permits attackers to extract confidential information directly from device memory, potentially circumventing multi-factor authentication and taking control of user sessions.
The vulnerability examination revealed by watchTower Labs analysts indicates that the memory leak flaw influences NetScaler ADC and NetScaler Gateway devices set up as remote access gateways.
With a critical CVSS severity rating of 9.3, the vulnerability arises from inadequate input validation, leading to memory overread during authentication request handling.
The initial CitrixBleed vulnerability (CVE-2023-4966) was heavily exploited by ransomware groups and state-sponsored actors, resulting in prominent breaches including attacks on Boeing and Comcast’s Xfinity service that impacted 36 million customers.
Active Exploitation Inevitable
Cybersecurity company ReliaQuest has indicated that they have detected “medium confidence” signs implying that the vulnerability is already being utilized in focused attacks.
Indicators include compromised Citrix web sessions where authentication was granted without user consent, pointing to a successful multi-factor authentication circumvention.
The experts uncovered several alarming trends: session reuse across questionable IP addresses, LDAP queries linked to Active Directory exploration, and multiple occurrences of the ADExplorer64.exe tool being employed in breached environments. Attackers seem to be utilizing consumer VPN services to conceal their activities while executing post-breach investigations.
The watchTower Labs investigation indicates that exploiting the vulnerability is unexpectedly simple. By dispatching a malformed HTTP request to the Citrix Gateway login endpoint without appropriate parameter values, attackers can initiate a memory leak that uncovers uninitialized variables harboring confidential information from the device’s memory.
“What’s occurring underneath is a quintessential example of C-language mischief,” the experts described. “The backend parser eventually provides us with an uninitialized local variable” containing whatever data had been previously stored in memory, potentially incorporating session tokens and other private details.
The vulnerability emerges when attackers submit HTTP POST requests to the /p/u/doAuthentication.do endpoint with malformed login parameters. Instead of correctly initializing memory variables, the system yields whatever previous residual data was held in memory, crafting a classic instance of CWE-457: Use of Uninitialized Variable.
Security researcher Kevin Beaumont, who introduced the term “CitrixBleed 2,” noted that more than 50,000 potentially vulnerable NetScaler instances are exposed to the internet based on Shodan searches. The Shadowserver Foundation found that over 1,200 appliances remain unpatched as of late June 2025, despite Citrix issuing fixes on June 17.
Citrix has issued security updates for supported versions and strongly advises organizations to upgrade without delay.
The organization suggests terminating all active ICA and PCoIP sessions post-patching to avert possible session hijacking. Organizations utilizing end-of-life versions 12.1 and 13.0 must upgrade to supported versions, as these will not receive security patches.
Given the significant consequences of the initial CitrixBleed incidents, which continued to be exploited for months after patches were available, cybersecurity experts highlight that organizations cannot afford to postpone patching activities.
The vulnerability’s resemblance to its forerunner implies it will likely become a preferred method for cybercriminals seeking initial access to corporate networks.
“`