Hackers Started Exploiting CitrixBleed 2 Vulnerability Before Public PoC Disclosure

Researchers detected an active exploitation of CVE-2025-5777, dubbed CitrixBleed 2, nearly two weeks before a public proof-of-concept surfaced. 

This memory overread vulnerability in Citrix NetScaler appliances enables adversaries to exfiltrate sensitive data from kernel space by sending malformed DTLS packets. 

Initial reconnaissance and attack patterns were first observed on June 23, while the PoC was not released until July 4. This early exploitation underscores the need for proactive threat intelligence and rapid patch management.

Key Takeaways
1. CitrixBleed 2 (CVE-2025-5777) was actively exploited.
2. Chinese IPs precisely targeted Citrix NetScaler appliances.
3. CISA added CVE-2025-5777 to its CVE catalog; immediate patching is essential.

The vulnerability carries a CVSS score of 9.8 and stems from improper bounds checking within the SSL processing module. 

By leveraging malformed DTLS handshake sequences, attackers can trigger out-of-bounds reads, potentially leaking memory contents such as credentials, configuration files, or cryptographic keys. 

GreyNoise analysts assigned a dedicated tag to the traffic on July 7, enabling retrospective visibility into pre-PoC attacks across their sensor network.

Citrix NetScaler Vulnerability Exploitation

When researchers deployed sensors emulating Citrix NetScaler instances, they recorded anomalous DTLS handshake sequences originating from IP addresses geolocated in China. 

These packets exhibited malformed length fields that violated the DTLS specification, prompting kernel-level responses and revealing memory fragments. 

By analyzing packet captures, analysts reconstructed the overread offsets and identified consistent leakage patterns, confirming the exploitation of the CVE-2025-5777 flaw.

In-depth packet dissection using tools such as Wireshark and Scapy highlighted repeated attempts to trigger the vulnerability. 

The malformed packets employed specific TLS record layer values that exceeded buffer boundaries, causing the NetScaler SSL stack to return residual data. 

Analysis of threat intelligence feeds revealed a focused campaign against enterprise perimeter devices rather than opportunistic mass scanning. 

The malicious IPs avoided bulk exploitation, instead selecting specific network blocks likely containing high-value Citrix NetScaler installations. 

This precision targeting suggests a reconnaissance phase where the attackers fingerprinted appliance versions before launching memory overread attempts, consistent with tactics seen in previous state-affiliated operations.

On July 9, the Cybersecurity and Infrastructure Security Agency (CISA) corroborated GreyNoise findings and added CVE-2025-5777 to the Known Exploited Vulnerabilities (KEV) catalog. 

CISA’s public advisory urged immediate application of Citrix-provided patches and recommended continuous monitoring for anomalous DTLS traffic with abnormal record length values. 

The inclusion in the KEV accelerated awareness across U.S. federal and critical infrastructure sectors, driving accelerated mitigation efforts.

To counter ongoing exploitation, defenders are advised to apply Citrix’s firmware update and implement network controls that detect or block malformed DTLS records. 

By integrating threat intelligence sources directly into security infrastructure, organizations can reduce exposure windows and false positives, maintaining robust protection against CitrixBleed 2 exploitation.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now