Check for CitrixBleed 2 exploitation even if you patched quickly! (CVE-2025-5777)
With PoC exploits for CVE-2025-5777 (aka CitrixBleed 2) now public and reports of active exploitation of the flaw since mid-June, you should check whether your Citrix NetScaler ADC and/or Gateway instances have been probed and compromised by attackers.
Citrix’s current official line is that they have no evidence of in-the-wild exploitation and no indicators of compromise to share. Luckily, several security companies and researchers have provided some.
CVE-2025-5777 exposed
CVE-2025-5777 is an out-of-bounds memory read vulnerability stemming from insufficient input validation, which may allow unauthorized attackers to extract valid session tokens from the memory of internet-facing, vulnerable Netscaler ADC and Gateway instances.
The vulnerability can be exploited by repeatedly sending modified login requests to the login page (i.e., the/p/u/doAuthentication.do endpoint) which, as explained by watchTowr and Horizon3.ai researchers, will return/leak memory data.
The amount of data leaked each time is limited but, as watchTowr researchers noted, “repeat [the request] enough times, and eventually, you might land on something valuable,” such as strings that match the format of legitimate user session tokens.
“This isn’t just limited to endpoints accessible to normal users. The configuration utilities administrators use to manage Netscaler Gateway endpoints ALSO utilize this memory space, meaning those tokens are vulnerable to theft as well,” Horizon3.ai’s Jimi Sebree added, and showed how they managed to get a session token associated with the “nsroot” user for the entire Citrix NetScaler ADC instance.
Exploitation under way, indicators of compromise available
A patch for CVE-2025-5777 was released by Citrix on June 17, and reports that the vulnerability is likely being exploited started popping up the following week.
ReliaQuest researchers spotted attacks which they assessed, with medium confidence, were pulled off by exploiting CitrixBleed 2 to bypass multi-factor authentication and hijack web sessions.
WatchTowr and Horizon3.ai researchers followed by publishing the results of their technical analysis of the vulnerability as well as potential indicators of compromise to help Citrix NetScaler end users determine whether they’ve been breached or not.
“In terms of post-exploitation activities, we assume similar actions from the original CitrixBleed may be taken,” the latter pointed out.
“These actions include adding backdoor accounts, dumping and modifying the running config with persistence mechanisms, and installing remote access utilities. Each of these actions are captured by many of the default logging mechanisms, though it should be noted that if admin sessions or credentials are compromised, logging configurations could also be modified, which itself is a pretty clear indicator of compromise.”
Security researcher Kevin Beaumont says that attackers have been scanning for vulnerable Netscaler devices and stealing sessions for almost a month.
“GreyNoise are currently running a retrospective hunt on their honeypot network, and so far see activity spanning back to July 1st — this is before any public technical details on the vulnerability dropped,” he noted, and shared a list of IP addresses from which the attacks are/were coming.
“One of the IP addresses executing attacks in mid June has prior been linked to the RansomHub ransomware group by CISA last year,” he added. “A report in ReliaQuest of suspected exploitation suggests tooling often used by e-crime groups involved in ransomware.”
He helpfully outlined the threat hunting steps to be performed before patching, and advised all organizations – even those that implemented the patch soon after it was provided – to check for signs of compromise.
UPDATE (July 11, 2025, 01:10 p.m. ET):
CISA has added CitrixBleed 2 to its Known Exploited Vulnerabilities catalog and ordered US federal civilian agencies to mitigate the vulnerability or discontinue use of the product by the end of the day.
Akamai’s Security Intelligence Group said today that since the disclosure of the exploit, they have seen a drastic increase of vulnerability scanner traffic and additional threat actors searching for vulnerable targets.
“A legitimate POST request to perform authentication would include very expected parameter names like login, passwd, and additional parameters with corresponding values,” they noted.
“In an exploit attempt, there would also be a noticeably large attackers’ controlled payload in the User-Agent header and an HTTP body, which might only include the login string.”
Researcher Kevin Beaumont says that the Netscaler (basic) logging switched on by default cannot show whether an instance has been breached through CitrixBleed 2, and that organizations should check their firewall logs for indicators of compromise.
Also, that Citrix’s post-patching instructions to clear sessions don’t include the correct session types. “ICA will just reconnect as you (threat actor) still have the valid NSC_AAAC cookie,” he stated.
UPDATE (July 17, 2025, 04:10 a.m. ET):
GreyNoise said that they started observing CVE-2025-5777 exploitation attempts on June 23, 2025, i.e., nearly two weeks before a public PoC was released on July 4.
“Early exploitation attempts came from malicious IPs geolocated in China. Rather than exploiting indiscriminately, these IPs targeted GreyNoise sensors configured to emulate Citrix NetScaler appliances, suggesting deliberate targeting,” the company added.
Imperva has flagged 11.5 million attack attempts targeting potentially vulnerable Citrix NetScaler instances worldwide, mostly sites in the Financial Services and Gaming industries.
Kevin Beaumont noted that a ransomware group has also had the exploit since June and have been using it for initial access.
Citrix/Netscaler has published a guide for organizations that want to analyze NetScaler logs for indicators of attempted exploitation of CVE-2025-5777, but Beaumont’s advice to clear all session types on compromised devices (instead of just some that NetScaler mentions) should be followed.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!