CitrixBleed 2 Vulnerability PoC Published

A newly published proof-of-concept (PoC) for the critical CitrixBleed 2 vulnerability (CVE-2025-5777) has sent shockwaves through the cybersecurity community, with experts warning of imminent mass exploitation risks for organizations using Citrix NetScaler ADC and Gateway devices.

The Vulnerability: CitrixBleed 2 (CVE-2025-5777)

Dubbed “CitrixBleed 2” for its eerie resemblance to the notorious CitrixBleed flaw of 2023, CVE-2025-5777 is an out-of-bounds memory read vulnerability.

It allows unauthenticated attackers to extract sensitive information—including authentication tokens—directly from the memory of affected appliances.

If exploited, attackers can bypass multi-factor authentication (MFA), hijack user sessions, and gain unauthorized access to critical systems.

The flaw specifically impacts Citrix NetScaler ADC and Gateway devices configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server. The vulnerability is rated with a CVSS score of 9.3, underscoring its criticality.

PoC Released

Security researchers, after initially withholding technical details, have now published a PoC that allows defenders and attackers alike to verify if a system is vulnerable.

The release comes amid reports of in-the-wild exploitation and a significant portion of Citrix customers remaining unpatched.

Experts argue that transparency and the ability for organizations to self-assess outweigh the risks of enabling malicious actors, especially given the minimal sharing of indicators of compromise (IoCs) and detection artifacts by vendors and industry bodies.

How the Attack Works

• Attackers send a specially crafted HTTP POST request to the Citrix Gateway login endpoint, manipulating the login parameter in a way that triggers a memory leak.
• The server responds with an XML structure containing the  tag, which, if vulnerable, will include uninitialized memory data.
• Repeated requests can eventually leak sensitive session tokens, potentially allowing attackers to hijack sessions and bypass MFA.

Real-World Impact

• Active exploitation: Security firms have observed suspicious activity and session hijacking attempts targeting Citrix appliances, with attackers seeking to leverage the flaw for initial access.
• Potential consequences: Compromised systems may lead to data breaches, ransomware attacks, and operational disruption, including in critical sectors such as healthcare and finance.

Mitigation and Detection

• Patch immediately: Citrix has released security updates for supported versions. Organizations running end-of-life versions are urged to upgrade without delay.
• Terminate active sessions: After patching, all active ICA and PCoIP sessions should be terminated to prevent session hijacking.
• Detection: Sending a POST request with only the login parameter (no value or equal sign) and inspecting the  in the response can help determine vulnerability status. A non-empty value indicates exposure.

Security leaders stress that the publication of a PoC, coupled with ongoing exploitation, dramatically increases the risk of widespread attacks.

Organizations are urged to treat this as an emergency—patch, verify, and monitor systems immediately to avoid becoming the next victim of CitrixBleed 2.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free