CISA warns hackers are actively exploiting critical CitrixBleed 2

News
By published

CISA adds CitrixBleed 2 to its Known Exploited Vulnerabilities catalog

Image depicting a hand on a scanner
Image Credit: Pixabay (Image credit: Pixabay)
  • CitrixBleed 2 was discovered in mid-June 2025
  • But there were quickly reports of abuse in the wild
  • CISA is now urging FCEB agencies to patch immediately

The US Cybersecurity and Infrastructure Security Agency (CISA) has added CitrixBleed 2 to its Known Exploited Vulnerabilities (KEV) catalog, alerting Federal Civilian Branch Agencies (FCEB), as well as other businesses, that the bug is being actively exploited in the wild.

On July 10, CISA added CVE-2025-5777 to the catalog - a critical-severity (9.3/10) insufficient input validation vulnerability that leads to memory overread. It affects Citrix NetScaler ADC and NetScaler Gateway devices, versions 14.1 and before 47.46, and from 13.1 and before 59.19.

It can be abused against vulnerable NetScaler ADC and NetScaler Gateway appliances to extract sensitive memory contents, including session tokens, credentials, and potentially other user data, without authentication. Given its similarity to a previous Citrix vulnerability called CitrixBleed, security researchers dubbed it CitrixBleed 2.

"Significant risk"

The bug was first discovered in mid-June 2025, and by early July, there were already reports of abuse in the wild.

Citrix released a patch but apparently, the majority of instances have not yet been patched, presenting a unique opportunity for cybercriminals.

Multiple security researchers, including ReliaQuest, watchTowr, and Horizon3.ai, have warned users of ongoing exploitation campaigns. Akamai also added that it observed a “drastic increase” in scanning for potentially vulnerable NetScaler endpoints.

Now, CISA also confirmed the reports of in-the-wild attacks.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” it said in a short security advisory.

What’s also interesting is the tight deadline it gave FCEB agencies to patch their endpoints. Usually, agencies have 21 days to apply the patch or stop using the affected software altogether. In this case, the deadline was - just 24 hours.

Citrix has not yet unequivocally stated that the bugs were being exploited. It did, however, urge everyone to apply the patch without delay.

Via TechCrunch

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.