Citrix

Citrix is facing a critical flaw in its NetScaler devices, known as 'CitrixBleed 2' (CVE-2025-5777), which allows attackers to steal sensitive information from device memory. This vulnerability, similar to the 2023 CitrixBleed attacks, has a CVSS severity score of 9.3 and has already been exploited in targeted attacks. The exploitation involves bypassing multi-factor authentication and hijacking user sessions, with evidence of session reuse and Active Directory reconnaissance. The vulnerability affects NetScaler ADC and NetScaler Gateway devices, potentially exposing session tokens and other sensitive data. Security experts urge immediate patching to prevent widespread exploitation, as the original CitrixBleed attacks continued to be exploited for months.

Source: https://cybersecuritynews.com/citrixbleed-2-poc-released/

TPRM report: https://scoringcyber.rankiteo.com/company/citrix

"id": "cit748070725",
"linkid": "citrix",
"type": "Vulnerability",
"date": "7/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"

{'affected_entities': [{'industry': 'Aerospace',
                        'name': 'Boeing',
                        'type': 'Organization'},
                       {'customers_affected': '36 million',
                        'industry': 'Telecommunications',
                        'name': 'Comcast’s Xfinity service',
                        'type': 'Organization'}],
 'attack_vector': 'Memory Leak Vulnerability',
 'data_breach': {'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Session tokens, Sensitive '
                                             'information'},
 'description': 'A new critical vulnerability in Citrix NetScaler devices, '
                "tracked as CVE-2025-5777 and dubbed 'CitrixBleed 2,' allows "
                'attackers to steal sensitive information directly from device '
                'memory, potentially bypassing multi-factor authentication and '
                'hijacking user sessions.',
 'impact': {'data_compromised': ['Session tokens', 'Sensitive information'],
            'systems_affected': ['NetScaler ADC', 'NetScaler Gateway']},
 'initial_access_broker': {'entry_point': 'Citrix Gateway login endpoint'},
 'lessons_learned': 'Organizations cannot afford to delay patching efforts '
                    'given the severe impact of such vulnerabilities.',
 'motivation': 'Data Theft, Session Hijacking',
 'post_incident_analysis': {'corrective_actions': 'Apply security patches and '
                                                  'upgrade to supported '
                                                  'versions.',
                            'root_causes': 'Insufficient input validation '
                                           'leading to memory overread when '
                                           'processing authentication '
                                           'requests.'},
 'recommendations': 'Upgrade to supported versions and apply security patches '
                    'immediately.',
 'references': [{'source': 'watchTower Labs'},
                {'source': 'ReliaQuest'},
                {'source': 'Kevin Beaumont'},
                {'source': 'Shodan'},
                {'source': 'Shadowserver Foundation'},
                {'source': 'ANY.RUN'}],
 'response': {'containment_measures': 'Terminating all active ICA and PCoIP '
                                      'sessions after patching',
              'remediation_measures': 'Upgrading to supported versions, '
                                      'applying security patches'},
 'threat_actor': ['Ransomware groups', 'Nation-state actors'],
 'title': 'Critical Flaw in Citrix NetScaler Devices Echoes Infamous 2023 '
          'Security Breach',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': ['CVE-2025-5777', 'CVE-2023-4966']}