Citrix users are facing a new security threat, as a recently identified out-of-bounds read vulnerability dubbed ‘Citrix Bleed 2’ is believed to be actively exploited in the wild. This flaw, tracked as CVE-2025-5777, resembles the infamous ‘Citrix Bleed’ vulnerability that led to significant risks in the past. According to cybersecurity firm ReliaQuest, this vulnerability is causing alarm as it could potentially allow attackers to hijack user sessions and bypass multi-factor authentication (MFA).
The issue stems from insufficient input validation affecting Citrix NetScaler ADC and NetScaler Gateway devices, leading to possible memory overread. A recent advisory from Citrix provides details on the vulnerabilities and stresses the need for immediate action.
Although no public exploitation has been officially reported yet, researchers at ReliaQuest expressed medium confidence in their assessment that malicious actors are exploiting this vulnerability to infiltrate targeted environments. ReliaQuest urges Citrix customers to patch their affected systems without delay, advising them to follow the guidance provided in the advisory to mitigate ongoing risks.
Citrix has characterized this vulnerability as having a critical severity rating, with a CVSS score of 9.3 out of 10. This particular flaw allows for an out-of-bounds memory read on devices configured as Gateway or Authentication servers, which could lead to session tokens being stolen. Such tokens, which are crucial for API and persistent authentication, can be reused to bypass MFA, maintaining unauthorized access even after legitimate users log off.
Cybersecurity expert Kevin Beaumont described the vulnerability’s impact, likening it to the chaotic return of a celebrity to social media: ‘Kanye West returning to Twitter – the same old chaos but louder.’ As repairs and patches were released by Citrix on June 17 for various versions, organizations are encouraged to take precautionary measures until full remediation is in place.
Indicators of real-world exploitation have been highlighted by ReliaQuest, showing instances where attackers successfully hijacked active Citrix web sessions while bypassing MFA restrictions. Among the findings, session reuse across multiple IPs, including both expected and suspicious addresses, raises concerns over attackers’ evolving tactics. In compromised environments, these malicious actors have proceeded with reconnaissance operations, utilizing advanced tools to probe the networks.
Thomas’s advisory calls for organizations to apply the necessary patches immediately, audit external NetScaler exposure, and ensure network access restrictions are in place. Post-patching steps should also involve terminating all active user sessions to prevent further risks.