Full Report
A critical NetScaler ADC and Gateway vulnerability dubbed "Citrix Bleed 2" (CVE-2025-5777) is now likely exploited in attacks, according to cybersecurity firm ReliaQuest, seeing an increase in suspicious sessions on Citrix devices. [...]
Analysis Summary
# Vulnerability: Critical Citrix NetScaler Flaw (Citrix Bleed 2) Likely Exploited
## CVE Details
- CVE ID: CVE-2025-5777 (Inferred from context, labelled as "Citrix Bleed 2" flaw)
- CVSS Score: Critical (Score not explicitly provided, but severity is indicated as "Critical")
- CWE: Not explicitly provided
## Affected Systems
- Products: Citrix NetScaler ADC and Gateway
- Versions: Specific vulnerable versions are not listed, but remediation versions imply the flaw exists in earlier versions of 14.1, 13.1, and 13.1-FIPS/NDcPP branches.
- Configurations: Applicable to devices running unpatched NetScaler ADC or Gateway instances accessible externally.
## Vulnerability Description
The vulnerability, termed "Citrix Bleed 2," is described as a flaw that allows attackers to hijack active Citrix sessions. Post-exploitation activity observed includes attackers using tools like ADExplorer64.exe for domain reconnaissance, mapping users, groups, and permissions, indicating successful unauthorized access to the internal network via the compromised NetScaler. Sessions were observed originating from consumer VPN providers, suggesting attacker obfuscation.
## Exploitation
- Status: Likely exploited in the wild
- Complexity: Medium (Requires initial access/exploitation of the NetScaler flaw)
- Attack Vector: Network (Initial exploitation vector impacts the external-facing NetScaler Gateway)
## Impact
- Confidentiality: High (Indicated by successful discovery of user/group mappings and permissions)
- Integrity: High (Indicated by domain reconnaissance activities)
- Availability: Potential impact through session hijacking leading to service disruption or data manipulation.
## Remediation
### Patches
Vendors advise upgrading to the following versions to remediate the vulnerability:
* 14.1-43.56+
* 13.1-58.32+
* 13.1-FIPS/NDcPP 13.1-37.235+
### Workarounds
If immediate patching is impossible:
1. Limit external access to NetScaler devices using network ACLs or firewall rules.
2. **Crucially:** Terminate all active ICA and PCoIP sessions after patching or while awaiting patching, as they may already be hijacked.
* Before termination, review active sessions for suspicious activity using the `show icaconnection` command and inspecting **NetScaler Gateway**>**PCoIP**>**Connections**.
* Terminate sessions using:
kill icaconnection -all
kill pcoipconnection -all
## Detection
- Indicators of Compromise (IoCs) include:
- Multiple instances of `ADExplorer64.exe` running across systems.
- Attackers attempting reconnaissance to map users, groups, and permissions.
- Citrix sessions originating from data center IPs associated with consumer/commercial VPN providers (e.g., DataCamp IPs mentioned).
- Detection methods should focus on monitoring system activity for post-exploitation behavior (like AD reconnaissance) and analyzing NetScaler logs for unusual connection origins or abnormal session activity.
## References
- Vendor advisories: (Not explicitly detailed, but implied by the patched versions).
- Relevant links - defanged:
- hXXps://www.bleepingcomputer.com/news/security/critical-citrix-bleed-2-flaw-now-likely-exploited-in-attacks/