- CitrixBleed 2 was discovered in mid-June 2025
- But there were quickly reports of abuse in the wild
- CISA is now urging FCEB agencies to patch immediately
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CitrixBleed 2 to its Known Exploited Vulnerabilities (KEV) catalog, alerting Federal Civilian Branch Agencies (FCEB), as well as other businesses, that the bug is being actively exploited in the wild.
On July 10, CISA added CVE-2025-5777 to the catalog – a critical-severity (9.3/10) insufficient input validation vulnerability that leads to memory overread. It affects Citrix NetScaler ADC and NetScaler Gateway devices, versions 14.1 and before 47.46, and from 13.1 and before 59.19.
It can be abused against vulnerable NetScaler ADC and NetScaler Gateway appliances to extract sensitive memory contents, including session tokens, credentials, and potentially other user data, without authentication. Given its similarity to a previous Citrix vulnerability called CitrixBleed, security researchers dubbed it CitrixBleed 2.
“Significant risk”
The bug was first discovered in mid-June 2025, and by early July, there were already reports of abuse in the wild.
Citrix released a patch but apparently, the majority of instances have not yet been patched, presenting a unique opportunity for cybercriminals.
Multiple security researchers, including ReliaQuest, watchTowr, and Horizon3.ai, have warned users of ongoing exploitation campaigns. Akamai also added that it observed a “drastic increase” in scanning for potentially vulnerable NetScaler endpoints.
Now, CISA also confirmed the reports of in-the-wild attacks.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” it said in a short security advisory.
What’s also interesting is the tight deadline it gave FCEB agencies to patch their endpoints. Usually, agencies have 21 days to apply the patch or stop using the affected software altogether. In this case, the deadline was – just 24 hours.
Citrix has not yet unequivocally stated that the bugs were being exploited. It did, however, urge everyone to apply the patch without delay.
Via TechCrunch
