Full Report
CitrixBleed 2 situation update — everybody already got ownedUpdate time on CVE-2025–5777, after my prior two blogs.The tl;dr version is basically:The ‘good news’, I suspect, is that most orgs will be too lacking in logs to have evidence. So they get to hope nothing too bad happened, I guess. The reason for this is the exploitation activity doesn’t leave much in the way of artefacts on default Netscaler logging config, so orgs are going to struggle to know what was happening. Most are probably stuck looking at IP address IOCs.Here’s a break down on the different activity clusters. Note, I don’t work in threat intel(tm), these are just my musing publicly since apparently the actual cyber industry is largely asleep.China go brrrThere’s an activity cluster which I strongly suspect is originating from China, based on access times and access methods, who have been targeting these sectors based on SSL certificates:tech, legal, education, legal, financial services, government, the UN and telecomsAccess started June 20th 2025, with access ramping up from June 21st to this as of writing. I think the activity I see may be one threat actor group — there may be more. They are careful in selecting victims, profiling Netscaler before attacking to make sure it is a real box — e.g. they didn’t fall into any of my honeypots.https://medium.com/media/80bcca3e6dec954f2651d183024ce717/hrefAmongst source IPs doing this, I see over a hundred ongoing victims, where traffic to their Netscalers is sustained today in some cases.I managed to find one victim org who would talk anonymously — the threat actor they had was focused on data collection from user Citrix sessions and maintaining persistence through installation of legit MSP admin tools. They triggered no alerts in their security stack.I published some IOCs here:Some are also visible in my prior blog post (the 64. IP is noisy as it did global Netscaler firmware fingerprinting before attacks):64.176.50.109139.162.47.19438.180.148.215102.129.235.108121.237.80.24145.135.232.2Because this activity appears to be covert, I strongly suspect most orgs aren’t going to be aware they were victim.Russia goes bloop beep beepThere’s a ransomware group who have had the exploit since June and have been using it for initial access. I’m aware of one incident, however the victim org has asked me not to talk about it, which I plan to respect as they have enough to deal with (they were healthcare, though).I suspect their may be more victims yet to play out. For the most part, though, based on dArK wEb chatter, most ransomware groups appear to not understand how to exploit the vulnerability yet so banging the drums publicly for patching has likely lessened the operational impact risk substantially by simply get out ahead of people learning how to do a pretty simple string of exploitation.E-crime goes Spray and prayImperva put out a blog at the weekend, after they added detection coverage to their WAF product, saying they’ve seen 12 million attack attempts so far, with almost 40% aimed at Financial Services:The blog:CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks | ImpervaIn this case, the activity is clearly spray and pray — i.e. the threat actors are just plastering the entire internet to try to get into anything. The scale is similar to initial activity around log4shell.There’s similar seen on GreyNoise’s honeypots:i can’t afford to pay for a greynoise subscription but I’m using their graphs anywayCitrix go Missing In ActionI don’t know what the deal is here. Citrix appeared to almost go missing last week on the subject of this vuln.They released a blog about CVE-2025–5777 (this vuln) and a different vuln, which makes such claims as:But, well, that might be news to Akamai, Imperva etc:As mentioned in my last blog, you can absolutely detect this with a Web Application Firewall. The only major vendor who doesn’t yet detect this is… Citrix, who sell a WAF solution upsell for Netscaler and haven’t covered their own vulnerability for some reason.Citrix refused to comment last week on media enquiries about exploitation after my blog post.They did just update their prior blog post, acknowledging exploitation, after effectively being forced into it by CISA adding the vulnerability to Known Exploited Vulnerabilities:There continue to be questionable claims in that blog post, I think — e.g. they suggest the NIST description of the vulnerability was wrong, and the most accurate description of the vuln can be found on their website:What they don’t mention — the NIST website description was submitted by [email protected]. NIST did not write the inaccurate description — Citrix did.Additional issues remain — e.g. Citrix’s description on how to patch the vulnerability says run these commands:However, this doesn’t clear all session cookies which are leaked by the vulnerability.The instructions for CitrixBleed did cover these:It appears Citrix have messed up and not told people to clear all session types for CitrixBleed 2.. which directly leaves customers who applied patches still at risk of session hijacking.I guess we’ll see how this pans out over the next few weeks, but it feels like a mess of a disclosure which has placed customers last.Prior reading:CitrixBleed 2 exploitation started mid-June — how to spot itCitrixBleed 2: Electric Boogaloo — CVE-2025–5777Raw scan data — find out if your organisation patched:https://raw.githubusercontent.com/GossiTheDog/scanning/refs/heads/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txtAlmost 4k orgs are still vulnerable as of 15/07/2025CitrixBleed 2 situation update — everybody already got owned was originally published in DoublePulsar on Medium, where people are continuing the conversation by highlighting and responding to this story.
Analysis Summary
# Vulnerability: Citrix NetScaler Memory Leak Exploitation (CitrixBleed 2)
## CVE Details
- CVE ID: CVE-2025-5777
- CVSS Score: Not explicitly provided in the text. (Severity is implied to be High due to active exploitation and significant impact.)
- CWE: Not explicitly provided in the text.
## Affected Systems
- Products: Citrix NetScaler (implied due to context and vendor references)
- Versions: Vulnerable versions are not explicitly listed, but patching status indicates many organizations remain unpatched.
- Configurations: Default logging configurations may hinder forensic investigation.
## Vulnerability Description
The vulnerability, referred to as CitrixBleed 2 (CVE-2025-5777), is described as a memory leak attack impacting Citrix NetScaler devices. Successful exploitation allows threat actors to extract sensitive information, including session cookies, leading to session hijacking.
## Exploitation
- Status: **Exploited in the wild**. Exploitation activity began around June 20th, 2025.
- A state-aligned actor (suspected China-based) is conducting covert data collection and persistence operations against numerous organizations (potentially over a hundred ongoing victims).
- A ransomware group has been using the exploit for initial access since June.
- WAF vendors report high-volume, spray-and-pray scanning attempts (millions of attempts reported).
- Complexity: Exploitation mechanism appears to be a "pretty simple string of exploitation," implying **Low to Medium** complexity for initial access across the threat landscape, although covert exploitation requires skill.
- Attack Vector: **Network** (remote exploitation of the NetScaler appliance).
## Impact
- Confidentiality: **High**. Direct risk of session hijacking and data collection from user Citrix sessions.
- Integrity: **Medium/High**. Persistence was maintained via installation of legitimate MSP admin tools in at least one observed case.
- Availability: Low/Not specified.
## Remediation
### Patches
- Citrix provided patching instructions, but the author notes the instructions appear **incomplete**.
- **Critical Note:** Initial patching instructions **do not clear all session types** leaked by the vulnerability (specifically failing to address leftover session cookies mentioned in the older CitrixBleed guidance), potentially leaving customers still at risk of session hijacking even after applying the fix.
### Workarounds
- Clearing **all session types** (as per prior CitrixBleed guidance) is strongly implied as necessary in addition to applying the formal patch to mitigate session hijacking risks for those already compromised or patched too late.
## Detection
- **Forensics Challenge:** Exploitation activity leaves few artifacts on *default* NetScaler logging configurations, making detection difficult. Organizations are primarily reliant on reviewing IP address IOCs.
- **Indicators of Compromise (IOCs) published by the researcher:**
* `64.176.50.109`
* `139.162.47.194`
* `38.180.148.215`
* `102.129.235.108`
* `121.237.80.241`
* `45.135.232.2`
- **Detection Methods and Tools:** Web Application Firewalls (WAFs) are capable of detecting exploitation attempts. Security stacks may fail to alert if default logging is in place, indicating a need for enhanced logging or specialized WAF rules.
## References
- Vendor Advisory Acknowledgment: Citrix has updated their disclosure blog after CISA added the vulnerability to the KEV catalog.
- Imperva Blog on Detection: hxxps://www.imperva.com/blog/cve-2025-5777-exposes-citrix-netscaler-to-dangerous-memory-leak-attacks/
- Prior Researcher Blog 1: hxxps://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71
- Patching Status Data (Vulnerability Scan Results): hxxps://raw.githubusercontent.com/GossiTheDog/scanning/refs/heads/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt