Governance & Risk Management,
Patch Management
Citrix Releases Critical Patches Amid Ongoing Attacks Exploiting Vulnerabilities
Citrix has issued urgent patches for vulnerabilities found in its Netscaler devices, specifically targeting threats identified as Citrix Bleed 2. This exploit allows cybercriminals to circumvent multifactor authentication, hijacking user sessions and obtaining unauthorized access to critical systems.
The vulnerabilities affect customer-managed versions of NetScaler ADC, previously known as Citrix ADC, and NetScaler Gateway. On June 17, Citrix released a patch addressing CVE-2025-5777, a critical vulnerability with a CVSS score of 9.2, affecting numerous device versions. Following the application of the patch, administrators are required to terminate all active ICA and PCoIP sessions.
Citrix has confirmed that versions 12.1 and 13.0 of NetScaler ADC and NetScaler Gateway are now at end of life and will not receive further patches, pressing customers to upgrade to supported versions that mitigate these vulnerabilities.
Research conducted by British cybersecurity expert Kevin Beaumont noted that over 18,000 Citrix systems remain connected to the internet, with approximately 25% still unpatched against CVE-2025-5777. Beaumont’s findings highlight the urgent need for action, as he has coined the term Citrix Bleed 2 for this vulnerability, reflecting its similarity to a previous exploit named CVE-2023–4966.
This vulnerability allows attackers to read sensitive memory from Netscaler devices, particularly when configured as Gateway or AAA virtual servers—a common setup in many large organizations. On June 25, Citrix also addressed another vulnerability, CVE-2025-6543, which carries a CVSS score of 9.3 and is recognized as a zero-day threat actively being exploited prior to the company’s alert.
Although both CVE-2025-5777 and CVE-2025-6543 target the same modules, they expose different vulnerabilities. Citrix has indicated that CVE-2025-6543 could lead to memory overflow issues, while CVE-2025-5777 stems from inadequate input validation, leading to potential memory over-read risks. Reports indicate that attackers are actively leveraging CVE-2025-5777 to hijack web sessions and bypass multifactor authentication mechanisms.
Experts in cybersecurity note that this vulnerability allows criminals to extract authentication data from memory, akin to its predecessor. This tactic not only poses a significant threat to data integrity but also raises the risk of unauthorized access to sensitive systems. The infiltration methods align with multiple tactics outlined in the MITRE ATT&CK framework, including initial access and privilege escalation, adding to the urgency for organizations to remediate these vulnerabilities promptly.
Finally, while Citrix’s Bleed 2 vulnerability draws attention due to its potential impact, it also serves as a reminder of the evolving nature of cyber threats. Proactive measures, including vigilant monitoring of logs and swift implementation of security patches, are essential strategies for safeguarding organizational assets against such attacks.
