A critical vulnerability, dubbed 'CitrixBleed 2' and tracked as CVE-2025-5777, was actively exploited nearly two weeks before proof-of-concept (PoC) exploits were made public. GreyNoise confirmed its honeypots detected targeted exploitation from IP addresses located in China on June 23, 2025. The flaw was actively exploited, causing the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog. Despite early signs and repeated warnings from security researcher Kevin Beaumont, Citrix had not acknowledged active exploitation in its security advisory. Citrix has been under fire for not being transparent and sharing IOCs. The vulnerability allows attackers to send malformed POST requests to NetScaler appliances during login attempts, leaking 127 bytes of memory and exposing sensitive data such as valid session tokens, which can be used to hijack Citrix sessions and gain unauthorized access to internal resources.
TPRM report: https://scoringcyber.rankiteo.com/company/citrix
"id": "cit556071825",
"linkid": "citrix",
"type": "Vulnerability",
"date": "7/2025",
"severity": "25",
"impact": "",
"explanation": "Attack without any consequences: Attack in which data is not compromised Attack in which ordinary material is compromised, but no information had been stolen"{'affected_entities': [{'customers_affected': 'Over 120 companies compromised',
'industry': 'Technology',
'location': 'Global',
'name': 'Citrix',
'type': 'Company'}],
'attack_vector': 'Remote Exploitation',
'data_breach': {'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Valid session tokens'},
'date_detected': '2025-06-23',
'date_publicly_disclosed': '2025-07-04',
'description': 'A critical Citrix NetScaler vulnerability, tracked as '
"CVE-2025-5777 and dubbed 'CitrixBleed 2,' was actively "
'exploited nearly two weeks before proof-of-concept (PoC) '
'exploits were made public.',
'impact': {'brand_reputation_impact': 'Citrix under fire for lack of '
'transparency',
'data_compromised': 'Sensitive data such as valid session tokens',
'systems_affected': 'Citrix NetScaler appliances'},
'initial_access_broker': {'entry_point': 'Malformed POST requests to '
'NetScaler appliances',
'high_value_targets': 'NetScaler appliances',
'reconnaissance_period': 'From June 20, 2025'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Importance of immediate patching and thorough '
'investigation of logs for indicators of compromise',
'motivation': 'Unauthorized access to internal resources',
'post_incident_analysis': {'corrective_actions': 'Patching and upgrading '
'NetScaler ADC and Gateway '
'versions',
'root_causes': 'Insufficient input validation in '
'Citrix NetScaler'},
'recommendations': 'Review all sessions for suspicious logins and terminate '
'compromised sessions',
'references': [{'source': 'BleepingComputer'}],
'regulatory_compliance': {'regulatory_notifications': "Added to CISA's Known "
'Exploited '
'Vulnerabilities (KEV) '
'catalog'},
'response': {'containment_measures': 'Terminate compromised sessions',
'remediation_measures': 'Patching and upgrading NetScaler ADC '
'and Gateway versions'},
'threat_actor': ['Unknown threat actor group from China'],
'title': 'Critical Citrix NetScaler Vulnerability (CVE-2025-5777) Exploited',
'type': 'Exploitation of Vulnerability',
'vulnerability_exploited': 'CVE-2025-5777'}