- CitrixBleed 2 was discovered in late June 2025
- The majority of instances have not yet been patched
- Security researchers are warning the bug is likely being exploited already
CitrixBleed 2, a vulnerability in Citrix NetScaler ADC and NetScaler Gateway, is now being actively exploited in the wild, multiple researchers have warned.
Security researchers recently found a critical-severity vulnerability in these instances which could allow threat actors to hijack user sessions and gain access to targeted environments.
The flaw, described as an insufficient input validation vulnerability that leads to memory overread, is tracked as CVE-2025-5777, and affects device versions 14.1 and before 47.46, and from 13.1 and before 59.19. Given its similarity to a previous Citrix vulnerability called CitrixBleed, security researchers dubbed it CitrixBleed 2.
(No) evidence of abuse
A patch was made available soon after, but apparently, the majority of instances have not yet been patched, and threat actors are taking advantage of that fact. Multiple security researchers, including ReliaQuest, watchTowr, and Horizon3.ai, have warned users of ongoing exploitation campaigns.
The Register notes watchTowr Labs found a, “significant portion of the Citrix NetScaler user base” had not yet patched against CitrixBleed 2, urging everyone to do so since the bug is “trivial” to exploit.
“Previously, we stated that we had no intention to release this vulnerability analysis,” the researchers said. However, “minimal” information sharing about the flaw “puts these users in a tough position when determining if they need to sound an internal alarm.”
Soon afterwards, Horizon3.ai said “by now threat actors are likely to be including it in their toolkits as well.”
At the same time, Citrix is giving out mixed signals whether or not the bugs are actually being exploited in the wild. The company is redirecting all media inquiries to a blog post discussing the matter, in which it says “Currently, there is no evidence to suggest exploitation of CVE-2025-5777.”
However, in the FAQ of the same blog post, it also said “immediate installation of the recommended updates is critically important due to the identified severity of this vulnerability and evidence of active exploitation.” It is left somewhat vague if this answer relates to CitrixBleed 2, or a different vulnerability.
Finally, elsewhere in the FAQ, it says “We are currently unaware of any evidence of exploitation for CVE-2025-5349 or CVE-2025-5777.”
We’d advise everyone to patch up, just to be on the safe side, especially since CitrixBleed was being abused by nation-states in highly targeted attacks.
Leave a comment