Full Report
This new CitrixBleed lookalike flaw is being exploited in the wild to gain initial access, according to ReliaQuest
Analysis Summary
# Vulnerability: Citrix NetScaler ADC/Gateway Session Hijacking Flaws (CitrixBleed 2 & Memory Overflow)
This summary covers critical recent vulnerabilities disclosed by Citrix that are reportedly being exploited in the wild.
## CVE Details
- **CVE ID:** CVE-2025-5777 (Out-of-Bounds Read, "CitrixBleed 2")
- **CVSS Score:** 9.3 (Critical)
- **CWE:** CWE-125 (Out-of-bounds Read)
- **CVE ID:** CVE-2025-5349 (Access Control Issue)
- **CVSS Score:** 8.7 (High)
- **CVE ID:** CVE-2025-6543 (Memory Overflow leading to DoS)
- **CVSS Score:** 9.2 (Critical)
## Affected Systems
- **Products:** Citrix NetScaler ADC and Gateway devices.
- **Versions (CVE-2025-5777 & CVE-2025-6543):**
- 14.1 and before 14.1-47.46
- 13.1 and before 13.1-59.19
- **Versions (CVE-2025-5349):**
- 14.1 and before 14.1-43.56
- 13.1 and before 13.1-58.32
- **Configurations (CVE-2025-6543 Specific):** Affects devices configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
## Vulnerability Description
This summary focuses primarily on **CVE-2025-5777 ("CitrixBleed 2")**. This is an out-of-bounds read vulnerability that allows an attacker to bypass authentication mechanisms, including Multi-Factor Authentication (MFA), and hijack active user sessions. Unlike the original CitrixBleed (CVE-2023-4966) which targeted session cookies, this flaw targets **session tokens**, which are typically used in persistent sessions or API calls, potentially offering longer-term access.
**CVE-2025-6543** is a separate memory overflow vulnerability that can lead to unintended control flow and Denial of Service (DoS) when the appliance is configured for specific gateway functions.
## Exploitation
- **Status:** **Exploited in the wild** (Reported for CVE-2025-5777 and CVE-2025-6543).
- **Complexity:** Likely Low to Medium, given the severity and similarity to previous, well-known exploitation patterns in Citrix products.
- **Attack Vector:** Network (Remote exploitation is implied for authentication bypass).
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| **CVE-2025-5777** | High (Session Hijacking) | High (Session takeover) | Low (Indirect, via session misuse) |
| **CVE-2025-6543** | Low | Low | High (Denial of Service) |
## Remediation
### Patches
Citrix disclosed these vulnerabilities on June 17th and June 25th. Organizations must apply the released updates immediately. (Note: Specific patched version numbers are required from the vendor advisory for a complete list, but the fix involves updating to versions *after* the affected ranges listed above.)
### Workarounds
The article does not explicitly list vendor-provided workarounds, but immediate patching is the critical required action due to active exploitation reports.
## Detection
Threat activity observed in relation to attacks leveraging these flaws includes:
- **Reconnaissance Activity:** Significant increase in LDAP queries associated with Active Directory reconnaissance.
- **Tool Usage:** Multiple instances of `ADExplorer64.exe` querying domain groups/permissions across domain controllers.
- **Anomalous Access:** Citrix sessions originating from unexpected data-center-hosting IP addresses, potentially indicating the use of consumer VPN services for obfuscation.
- **Connection Patterns:** Monitoring for unusual connections involving multiple source IPs.
## References
- Vendor Advisory (Citrix): `CTX693420` (Mentioned as disclosure date June 17)
- Researcher Analysis (CitrixBleed 2): `doublepulsar.com/citrixbleed-2-electric-boogaloo-cve-2025-5777-c7f5e349d206`
- Threat Analysis (ReliaQuest): `reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/`