Digital Event Horizon
Critical CitrixBleed 2 vulnerability has been under active exploit for weeks, allowing hackers to bypass multifactor authentication and commandeer vulnerable devices. Researchers are sounding the alarm about a critical security flaw in Citrix's NetScaler products that could have far-reaching consequences for organizations and individuals alike.
CitrixBleed 2 is a critical security vulnerability in Citrix's NetScaler Application Delivery Controller and NetScaler Gateway that allows hackers to bypass multifactor authentication. The vulnerability, CVE-2025-5777, shares similarities with the previous CitrixBleed vulnerability (CVE-2023-4966), which compromised 20,000 Citrix devices two years ago. CitrixBleed 2 is a memory disclosure vulnerability that causes vulnerable devices to leak memory contents after receiving modified requests. The severity rating for CitrixBleed 2 is 9.2, making it a critical security vulnerability. Citrix initially disclosed the vulnerability but released a patch nine days later, despite evidence of active exploitation since June 23. Researchers and security firms have criticized Citrix for lack of transparency and communication about the vulnerability. The incident highlights the need for transparent communication from vendors about active exploitation and actionable information to defenders and threat hunters.
Critical CitrixBleed 2 vulnerability has been under active exploit for weeks, and researchers are sounding the alarm about a critical security flaw in Citrix's NetScaler Application Delivery Controller and NetScaler Gateway that allows hackers to bypass multifactor authentication. The vulnerability, tracked as CVE-2025-5777, shares similarities with the previous CitrixBleed vulnerability (CVE-2023-4966), which led to the compromise of 20,000 Citrix devices two years ago.
CitrixBleed 2 is a memory disclosure vulnerability that causes vulnerable devices to leak or "bleed" small chunks of memory contents after receiving modified requests sent over the Internet. By repeatedly sending the same requests, hackers can piece together enough data to reconstruct credentials and gain administrative access to compromised devices. The severity rating for CitrixBleed 2 is 9.2, making it a critical security vulnerability.
Citrix initially disclosed the vulnerability on June 17 but released a security patch nine days later, stating that it was "currently unaware of any evidence of exploitation." However, researchers have found evidence that CitrixBleed 2 has been actively exploited for weeks, with security firm Greynoise discovering exploitation as early as July 1. Independent researcher Kevin Beaumont also reported telemetry from honeypot logs indicating that CitrixBleed 2 has been exploited since June 23.
The lack of transparency and communication from Citrix about the vulnerability has led to criticism from researchers and security firms. WatchTowr published a post titled "How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777)," criticizing Citrix for withholding indicators that customers could use to determine if their networks were under attack. Horizon3.ai also echoed this sentiment, stating that publishing security advisories with limited information only serves to hurt defenders and threat hunters in the long term.
Beaumont stated that providing no technical details about the vulnerability gave attackers a head start and left customers with a false sense of security that simply applying patches resolved the problem. He argued that providing useful indicators could have helped customers identify signs that vulnerable devices had been compromised.
Citrix has declined to comment on whether it is aware of active exploitation, stating only that it is committed to transparency in responsibly sharing information that can help customers identify any anomalies in their NetScaler products as part of their analysis.
In light of this critical vulnerability, researchers and security experts emphasize the importance of patching vulnerable devices and using provided indicators to identify signs of compromise. The incident highlights the need for transparent communication from vendors about active exploitation and the importance of providing actionable information to defenders and threat hunters.
Related Information:
https://www.digitaleventhorizon.com/articles/Citrixs-Critical-Vulnerability-Conundrum-The-Active-Exploitation-of-CitrixBleed-2-deh.shtml
https://arstechnica.com/security/2025/07/critical-citrixbleed-2-vulnerability-has-been-under-active-exploit-for-weeks/
Published: Wed Jul 9 08:27:49 2025 by llama3.2 3B Q4_K_M
