Full Report
A critical Citrix NetScaler vulnerability, tracked as CVE-2025-5777 and dubbed "CitrixBleed 2," was actively exploited nearly two weeks before proof-of-concept (PoC) exploits were made public, despite Citrix stating that there was no evidence of attacks. [...]
Analysis Summary
# Vulnerability: Citrix NetScaler ADC/Gateway Remote Code Execution/Information Disclosure (Citrix Bleed 2)
## CVE Details
- CVE ID: CVE-2025-5777 (Inferred from context referencing "Citrix Bleed 2" and exploitation details)
- CVSS Score: Not explicitly stated in the text, but exploitation implies High severity.
- CWE: Not explicitly stated in the text, likely related to improper input validation or command injection.
## Affected Systems
- Products: Citrix NetScaler ADC and NetScaler Gateway.
- Versions: Specific vulnerable versions are not listed, but customers on End-of-Life (EOL) versions 12.1 and 13.0 are specifically advised to upgrade to supported builds.
- Configurations: Applies to NetScaler ADC and Gateway instances.
## Vulnerability Description
The vulnerability, dubbed "Citrix Bleed 2," appears to be a critical flaw in Citrix NetScaler ADC and Gateway that allows for exploitation potentially leading to Remote Code Execution or significant data exposure, given the widespread compromise attempts reported. Exploitation tracking began around June 20, 2025.
## Exploitation
- Status: **Exploited in the wild** (Tracking shows 120+ companies compromised since June 20, 2025).
- Complexity: Intelligence suggests threat actors are careful and profile targets, indicating a targeted approach, though the inherent complexity is not detailed.
- Attack Vector: Likely **Network** access, as NetScaler products are typically internet-facing access points.
## Impact
- Confidentiality: Likely **High** (Implied by widespread exploitation and the nature of access gained).
- Integrity: Likely **High** (Implied).
- Availability: Likely **High** (Implied).
## Remediation
### Patches
- Citrix has released patches for NetScaler ADC and Gateway versions. Customers are strongly urged to upgrade to supported builds.
### Workarounds
- No mitigations beyond patching are mentioned. Customers running EOL versions (12.1 and 13.0) must upgrade to supported builds.
## Detection
- **Indicators of Compromise (IoCs):** Exploitation activity began around June 20, 2025.
- **Detection Methods and Tools:**
- Citrix states that its own Web Application Firewall (WAF) currently **does not** detect exploitation of CVE-2025-5777.
- Imperva reports detecting over 11.5 million exploitation attempts, suggesting security vendors other than Citrix WAF may have detection capabilities.
- Proactive threat hunting based on established exploitation timelines (starting June 20, 2025) is recommended.
## References
- Vendor Advisories: Citrix has released advisories urging immediate upgrades (Specific reference link unavailable).
- Relevant Links:
- hXXps://www[.]bleepingcomputer[.]com/news/security/citrix-bleed-2-exploited-weeks-before-pocs-as-citrix-denied-attacks/
- hXXps://doublepulsar[.]com/citrixbleed-2-situation-update-everybody-already-got-owned-503c6d06da9f