Urgent Citrix Bleed 2 (CVE-2025-5777, CVSS 9.3) Actively Exploited: MFA Bypass & Session Hijacking Threaten Enterprises
Security researchers have unveiled functional exploits targeting a critical vulnerability in Citrix NetScaler ADC and Gateway devices. Designated CVE-2025-5777, the flaw has been informally dubbed CitrixBleed2 — a pointed reference to the similarly severe 2023 vulnerability that was widely exploited in ransomware campaigns and attacks on government entities. This latest issue allows threat actors to extract data directly from device memory, including active user session tokens.
CitrixBleed2 is triggered during the login process via specially crafted POST requests. The attack hinges on omitting the equal sign and value for the login parameter in the request body. As a result, NetScaler inadvertently returns a fragment of memory—up to the first null byte—within an XML <InitialValue> element. This behavior stems from a misuse of the snprintf function with the %.*s format string, which leads the system to return up to 127 bytes of uninitialized stack memory upon each request to the vulnerable endpoint.
The team at watchTowr was the first to publish a technical breakdown of the bug, noting that during their own testing, they were unable to extract sensitive data. However, researchers at Horizon3 successfully reproduced the exploit and confirmed that session tokens could indeed be obtained. Moreover, they found the vulnerability extends to administrative configuration utilities.
Despite the existence of working exploits and video demonstrations of successful attacks, Citrix maintains that CVE-2025-5777 is not being actively exploited in the wild. The company references its official blog, which claims there have been no confirmed incidents of compromise via this flaw.
Contrary to Citrix’s assertion, a report from ReliaQuest indicates a surge in session hijack attempts. The nature of the attacks points to active exploitation of this very vulnerability. Independent security researcher Kevin Beaumont echoes this concern, having identified telltale indicators in NetScaler logs—namely, repeated POST requests to doAuthentication, each yielding a consistent 126-byte memory leak. Additionally, log entries revealed usernames containing the # symbol, suggesting that leaked memory was being misrouted into improper fields—strong evidence of unauthorized access.
Beaumont stresses that such insights would have remained hidden were it not for the disclosures by watchTowr and Horizon3. Without their research, detecting active exploitation would have been significantly more difficult, especially given Citrix’s reluctance to share indicators of compromise—a behavior reminiscent of the company’s response during the original CitrixBleed incident in 2023.
To mitigate the threat, Citrix has issued firmware updates that patch the vulnerability. Administrators are also advised to manually terminate all active ICA and PCoIP sessions—ideally after inspecting them for suspicious activity. If anomalies are detected in session logs or tokens, a full restart of the authentication infrastructure may be warranted.
