Full Report
A recent vulnerability in Citrix NetScaler ADC and Gateway is dubbed "CitrixBleed 2," after its similarity to an older exploited flaw that allowed unauthenticated attackers to hijack authentication session cookies from vulnerable devices. [...]
Analysis Summary
# Vulnerability: CitrixBleed 2: NetScaler Improper Access Control Leading to Session Hijacking
## CVE Details
- CVE ID: CVE-2025-5349
- CVSS Score: Not explicitly provided, implied High due to session hijacking in context.
- CWE: Improper Access Control
## Affected Systems
- Products: Citrix NetScaler ADC and Gateway (NetScaler Management Interface)
- Versions: All versions prior to the specified fixed versions. Note: End-of-Life (EOL) ADC/Gateway 12.1 (non-FIPS) and ADC/Gateway 13.0 are affected and will not receive patches.
- Configurations: Vulnerable if the attacker has access to the NSIP (NetScaler Management IP), Cluster Management IP, or Local GSLB Site IP.
## Vulnerability Description
CVE-2025-5349 is an **Improper Access Control** vulnerability within the NetScaler Management Interface. Successful exploitation allows an attacker who has network access to the management interface IPs (NSIP, Cluster Management IP, or Local GSLB Site IP) to potentially hijack user sessions. This is contextually referred to as "CitrixBleed 2."
## Exploitation
- Status: Not explicitly stated whether it is actively exploited in the wild, but given the nature of previous CitrixBleed flaws, active exploitation is a high risk.
- Complexity: Low to Medium (Requires specific access to management IPs).
- Attack Vector: Adjacent or Network (Requires access to management interfaces).
## Impact
- Confidentiality: High (Session hijacking can lead to unauthorized data access).
- Integrity: High (Session hijacking implies control over authenticated activities).
- Availability: Low (Direct impact on availability is not the primary concern, though session termination is required for mitigation).
## Remediation
### Patches
Users must upgrade to the following minimum versions to address CVE-2025-5349:
- NetScaler Gateway / ADC: 14.1-43.56 and later
- NetScaler Gateway / ADC: 13.1-58.32 and later
- NetScaler Gateway / ADC: 13.1-NDcPP 13.1-37.235 (FIPS)
- NetScaler Gateway / ADC: 12.1-55.328 (FIPS)
**Note:** End-of-Life versions (ADC/Gateway 12.1 non-FIPS and 13.0) will not receive patches and require immediate upgrade to a supported release.
### Workarounds
1. **Review Active Sessions:** Before patching and terminating sessions, review existing active sessions for any suspicious activity using the `show icaconnection` command and the NetScaler Gateway GUI path (**NetScaler Gateway** > **PCoIP** > **Connections**).
2. **Terminate Sessions (Post-Patching):** After appliances have been updated, Citrix strongly recommends terminating all active ICA and PCoIP sessions:
kill icaconnection -all
kill pcoipconnection -all
## Detection
- Indicators of Compromise: Monitoring for unexpected session activity or unauthorized access attempts targeting the NetScaler management interface IPs.
- Detection Methods and Tools: Reviewing NetScaler logs for unusual connections to management interfaces or unauthorized session activity reported by `show icaconnection`.
## References
- Vendor Advisories: Refer to Citrix/NetScaler advisories regarding the applicable CVE (CVE-2025-5349) and related session management recommendations.
- Relevant Links:
- bleepingcomputer dot com/news/security/new-citrixbleed-2-netscaler-flaw-let-hackers-hijack-sessions/