“CitrixBleed 2” Vulnerability PoC Released
Critical flaw in Citrix NetScaler devices echoes infamous 2023 security breach that crippled major organizations worldwide.
The new critical vulnerability in Citrix NetScaler devices has security experts warning of potential widespread exploitation, drawing alarming parallels to the devastating “CitrixBleed” attacks that plagued organizations in 2023.
The vulnerability, tracked as CVE-2025-5777 and dubbed “CitrixBleed 2,” allows attackers to steal sensitive information directly from device memory, potentially bypassing multi-factor authentication and hijacking user sessions.
The vulnerability analysis disclosed by watchTower Labs researchers shows that the memory leak vulnerability affects NetScaler ADC and NetScaler Gateway devices configured as remote access gateways.
With a critical CVSS severity score of 9.3, the vulnerability stems from insufficient input validation that leads to memory overread when processing authentication requests.
The original CitrixBleed vulnerability (CVE-2023-4966) was extensively exploited by ransomware groups and nation-state actors, leading to high-profile breaches including attacks on Boeing and Comcast’s Xfinity service that affected 36 million customers.
Active Exploitation Suspected
Cybersecurity firm ReliaQuest reported that they have observed “medium confidence” indicators suggesting the vulnerability is already being exploited in targeted attacks.
Evidence includes hijacked Citrix web sessions where authentication was granted without user knowledge, indicating successful multi-factor authentication bypass.
The researchers identified several concerning patterns: session reuse across suspicious IP addresses, LDAP queries associated with Active Directory reconnaissance, and multiple instances of the ADExplorer64.exe tool being deployed across compromised environments. Attackers appear to be using consumer VPN services to mask their activities while conducting post-breach reconnaissance.
The watchTower Labs analysis reveals that the vulnerability’s exploitation is surprisingly straightforward. By sending a malformed HTTP request to the Citrix Gateway login endpoint without proper parameter values, attackers can trigger a memory leak that exposes uninitialized variables containing sensitive data from the device’s memory.

“What’s happening under the hood here is a classic case of C-language mischief,” the researchers explained. “The backend parser ends up handing us back an uninitialized local variable” containing whatever data was previously stored in memory, potentially including session tokens and other sensitive information.
The vulnerability manifests when attackers send HTTP POST requests to the /p/u/doAuthentication.do
endpoint with malformed login parameters. Instead of properly initializing memory variables, the system returns whatever residual data was previously stored in memory, creating a textbook example of CWE-457: Use of Uninitialized Variable.
Security researcher Kevin Beaumont, who coined the “CitrixBleed 2” moniker, noted that over 50,000 potentially vulnerable NetScaler instances are exposed to the internet based on Shodan searches. The Shadowserver Foundation discovered over 1,200 appliances remain unpatched as of late June 2025, despite Citrix releasing fixes on June 17.
Citrix has released security updates for supported versions and strongly urges organizations to upgrade immediately.
The company recommends terminating all active ICA and PCoIP sessions after patching to prevent potential session hijacking. Organizations running end-of-life versions 12.1 and 13.0 must upgrade to supported versions, as these will not receive security patches.
Given the severe impact of the original CitrixBleed attacks, which continued to be exploited for months after patches were available, security experts emphasize that organizations cannot afford to delay patching efforts.
The vulnerability’s similarity to its predecessor suggests it will likely become a favored tool for cybercriminals seeking initial access to enterprise networks.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Source link