Check for CitrixBleed 2 exploitation even if you patched quickly! (CVE-2025-5777)
With PoC exploits for CVE-2025-5777 (aka CitrixBleed 2) now public and reports of active exploitation of the flaw since mid-June, you should check whether your Citrix NetScaler ADC and/or Gateway instances have been probed and compromised by attackers.
Citrix’s current official line is that they have no evidence of in-the-wild exploitation and no indicators of compromise to share. Luckily, several security companies and researchers have provided some.
CVE-2025-5777 exposed
CVE-2025-5777 is an out-of-bounds memory read vulnerability stemming from insufficient input validation, which may allow unauthorized attackers to extract valid session tokens from the memory of internet-facing, vulnerable Netscaler ADC and Gateway instances.
The vulnerability can be exploited by repeatedly sending modified login requests to the login page (i.e., the/p/u/doAuthentication.do endpoint) which, as explained by watchTowr and Horizon3.ai researchers, will return/leak memory data.
The amount of data leaked each time is limited but, as watchTowr researchers noted, “repeat [the request] enough times, and eventually, you might land on something valuable,” such as strings that match the format of legitimate user session tokens.
“This isn’t just limited to endpoints accessible to normal users. The configuration utilities administrators use to manage Netscaler Gateway endpoints ALSO utilize this memory space, meaning those tokens are vulnerable to theft as well,” Horizon3.ai’s Jimi Sebree added, and showed how they managed to get a session token associated with the “nsroot” user for the entire Citrix NetScaler ADC instance.
Exploitation under way, indicators of compromise available
A patch for CVE-2025-5777 was released by Citrix on June 17, and reports that the vulnerability is likely being exploited started popping up the following week.
ReliaQuest researchers spotted attacks which they assessed, with medium confidence, were pulled off by exploiting CitrixBleed 2 to bypass multi-factor authentication and hijack web sessions.
WatchTowr and Horizon3.ai researchers followed by publishing the results of their technical analysis of the vulnerability as well as potential indicators of compromise to help Citrix NetScaler end users determine whether they’ve been breached or not.
“In terms of post-exploitation activities, we assume similar actions from the original CitrixBleed may be taken,” the latter pointed out.
“These actions include adding backdoor accounts, dumping and modifying the running config with persistence mechanisms, and installing remote access utilities. Each of these actions are captured by many of the default logging mechanisms, though it should be noted that if admin sessions or credentials are compromised, logging configurations could also be modified, which itself is a pretty clear indicator of compromise.”
Security researcher Kevin Beaumont says that attackers have been scanning for vulnerable Netscaler devices and stealing sessions for almost a month.
“GreyNoise are currently running a retrospective hunt on their honeypot network, and so far see activity spanning back to July 1st — this is before any public technical details on the vulnerability dropped,” he noted, and shared a list of IP addresses from which the attacks are/were coming.
“One of the IP addresses executing attacks in mid June has prior been linked to the RansomHub ransomware group by CISA last year,” he added. “A report in ReliaQuest of suspected exploitation suggests tooling often used by e-crime groups involved in ransomware.”
He helpfully outlined the threat hunting steps to be performed before patching, and advised all organizations – even those that implemented the patch soon after it was provided – to check for signs of compromise.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!