2100+ Citrix Servers Vulnerable to Actively Exploited Bypass Authentication Vulnerability

Citrix Bleed 2: A Dangerous Evolution

CVE-2025-5777, dubbed “Citrix Bleed 2,” carries a CVSS score of 9.2 and represents a dangerous evolution of the original Citrix Bleed vulnerability that wreaked havoc in 2023.

This new vulnerability stems from insufficient input validation, resulting in out-of-bounds memory reads that allow attackers to extract sensitive authentication data.

What makes Citrix Bleed 2 particularly insidious is its targeting mechanism. While the original focused on session cookies, this variant targets session tokens used across API calls and persistent application sessions, potentially granting attackers longer-lived access. Even after users terminate browser sessions, attackers could maintain unauthorized access through hijacked session tokens.

ReliaQuest researchers observed concerning indicators suggesting active exploitation, including hijacked Citrix web sessions where authentication was granted without user knowledge, indicating successful MFA bypass.

The exploitation includes session reuse across multiple IP addresses, combining expected and suspicious sources.

CVE-2025-6543 carries a CVSS score of 9.3 and has been confirmed as actively exploited by Citrix. This memory overflow vulnerability affects the same NetScaler configurations but poses different threats. Successful exploitation leads to denial-of-service conditions that can shut down critical network infrastructure.

Citrix acknowledged active exploitation, stating that “exploits of CVE-2025-6543 on unmitigated appliances have been observed.”

Security analysts documented sophisticated attack patterns, suggesting involvement by an advanced threat actor. ReliaQuest observed multiple instances of “ADExplorer64.exe” being deployed across compromised environments. Attackers have weaponized this Microsoft tool to conduct extensive domain reconnaissance activities.

Researchers detected LDAP queries associated with Active Directory reconnaissance and Citrix sessions originating from data-center-hosting IP addresses, including consumer VPN services like DataCamp, suggesting sophisticated obfuscation techniques.

NetScaler appliances serve as critical infrastructure components, acting as gateways for remote access to corporate applications and data centers. These systems often serve as primary entry points for remote workers, making them high-value targets.

The authentication bypass capabilities are particularly concerning because they circumvent multi-factor authentication mechanisms that organizations rely upon as critical security controls.

Citrix released updated NetScaler builds addressing both vulnerabilities. Recommended patched versions include NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases, and 13.1-58.32 and later releases of 13.1.

Critically, Citrix advised administrators to execute specific commands after patching: “kill icaconnection -all” and “kill pcoipConnection -all” to terminate active sessions and prevent attackers from maintaining access through previously hijacked sessions.

NetScaler versions 12.1 and 13.0 have reached end-of-life status and will not receive security patches. Organizations running these legacy versions face indefinite exposure and are strongly urged to upgrade immediately.

Organizations must immediately apply security patches to all NetScaler systems, particularly internet-facing appliances. Post-patching procedures are equally critical – administrators must terminate all active sessions to invalidate any compromised tokens.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now