A critical vulnerability affecting Citrix network management devices has been actively exploited for over a month, despite the company’s claims of no evidence of such exploitation. This vulnerability, identified as CVE-2025-5777, allows attackers to circumvent multifactor authentication and poses significant risks to enterprise networks.
The flaw exhibits similarities to CVE-2023-4966, known as CitrixBleed, which previously compromised around 20,000 Citrix devices globally. High-profile targets of the earlier exploitation included major organizations such as Boeing, DP World, and the Commercial Bank of China. The CitrixBleed incident notably led to breaches affecting 36 million Xfinity customers through compromised Comcast networks, further underscoring the potential severity of these vulnerabilities.
Both CVE-2025-5777 and its predecessor reside within Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway, which serve critical roles in load balancing and single sign-on functionalities. The vulnerability allows for the leakage of small amounts of memory content when affected devices receive specific requests over the Internet. By repeatedly sending modified requests, attackers can gradually reconstruct sensitive credentials.
With a severity score of 9.2, CitrixBleed 2 represents a significant risk, only slightly less severe than the original CitrixBleed. Citrix originally disclosed this vulnerability alongside a security patch on June 17. However, in a subsequent update, the company stated that it was unaware of active exploitation, remaining silent since then.
Research indicates a different reality. Analysis by security firm Greynoise showed that exploit attempts have been detected as early as July 1. Independent researcher Kevin Beaumont corroborated this by indicating that the first evidence of exploitation was noted around June 23, three days before Citrix’s official denial of known attacks. This discrepancy raises concerns regarding the transparency of Citrix’s advisories.
Researchers have highlighted additional missing details from Citrix’s communications. A recent study by security firm watchTowr criticized the company’s failure to share crucial indicators that could help customers identify potential attacks. Similarly, another security firm noted that the lack of comprehensive guidance leaves organizations vulnerable to ongoing risks associated with this vulnerability.
Given the nature of the exploit and its timing, potential tactics used in the attacks may include initial access and data exfiltration from the MITRE ATT&CK framework. Attackers likely employed techniques aimed at compromising network integrity and gaining unauthorized access to sensitive information. The ongoing exploitation underscores the critical need for business owners to stay vigilant and ensure robust cybersecurity measures are in place to safeguard against such vulnerabilities.
