A newly discovered vulnerability in the frequently criticized Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances is now being targeted by unknown threat actors, according to security analysts.
Assigned a critical CVSS score of 9.3, CVE-2025-5777 is an out-of-bounds read flaw caused by insufficient input validation. Referred to as Citrix Bleed 2 by independent researcher Kevin Beaumont, this vulnerability is similar to the previous Citrix Bleed flaw, CVE-2023-4966, allowing attackers to hijack authenticated sessions and bypass multifactor authentication by stealing valid session tokens from the device’s memory.
The original Citrix Bleed vulnerability was exploited by ransomware gangs like LockBit, emphasizing the importance of immediate patching for security leaders and defenders.
According to the ReliaQuest threat research team, there are indications of exploitation to gain initial access through this vulnerability. They recommend patching affected systems and terminating active sessions to mitigate risks.
ReliaQuest has observed instances of hijacked Citrix web sessions, LDAP queries for Active Directory reconnaissance, and Citrix sessions from datacentre-hosting IP addresses. These activities suggest potential threat actor enumeration of victim environments.
Users of NetScaler ADC and Gateway should update to the latest versions as per Citrix’s advisory and terminate active ICA and PCoIP sessions. Charles Carmakal, CTO at Google Cloud’s Mandiant, emphasized the importance of terminating active sessions to prevent attackers from retaining access post-patching, as seen in the previous Citrix Bleed incident.
