- CISA added a critical Citrix NetScaler vulnerability (CVE-2025-5777) to its Known Exploited Vulnerabilities Catalog after confirmation of active attacks.
- The vulnerability, called “Citrix Bleed 2,” allows authentication bypass and memory overreads, leading to potential exposure of sensitive data.
- Security researchers and vendors have reported ongoing exploitation by attackers, despite Citrix not yet updating its own advisories.
- Attackers target critical network appliances, putting enterprise networks at risk, while CISA recommends immediate patching and forced session termination.
- Other vulnerabilities, such as CVE-2024-36401 in GeoServer, are also being used in attacks, including the deployment of crypto mining Malware.
On July 10, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw affecting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) catalog. This move confirms that the vulnerability, identified as CVE-2025-5777, is being used in active cyberattacks.
CVE-2025-5777, also known as “Citrix Bleed 2,” carries a CVSS score of 9.3. The vulnerability exists due to insufficient input validation. When exploited, it permits attackers to bypass authentication on systems set up as a Gateway or AAA virtual server. This issue causes a memory overread, potentially revealing sensitive information.
A report by security researcher Kevin Beaumont stated exploitation began in mid-June. One of the attacker IP addresses was reportedly linked to the RansomHub Ransomware group. Data from GreyNoise indicated 10 malicious IP addresses from multiple countries, with the United States, France, Germany, India, and Italy as top targets. Citrix has not confirmed exploit activity in its official advisories as of June 26, 2025.
The vulnerability’s risk is high because affected devices often serve as VPNs or authentication servers. “Session tokens and other sensitive data can be exposed — potentially enabling unauthorized access to internal applications, VPNs, data center networks, and internal networks,” according to Akamai. Experts warn that attackers may gain wider access to corporate networks by exploiting vulnerable appliances and pivoting to other internal systems.
CISA advises all organizations to update to Citrix’s patched builds listed in its June 17 advisory, such as version 14.1-43.56 or later. After patching, administrators should end all active sessions to invalidate any stolen authentication tokens. Security teams should review logs for unusual activity on authentication endpoints, as this flaw can enable token theft and session replay without leaving standard malware traces.
In separate incidents, attackers are exploiting a critical flaw in OSGeo GeoServer GeoTools (CVE-2024-36401, CVSS score: 9.8) to install NetCat and XMRig coin miners in South Korea. Once installed, these miners use system resources to generate cryptocurrency, with NetCat enabling further malicious actions or data theft.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Bitcoin Hits Record $116,000 as Rally Lifts Crypto Markets Higher
- Stablecoins Dominate DeFi, Raising Questions of Centralization Risks
- Plasma Sets July 17 Token Sale Ahead of Mainnet, New Stablecoins
- UK Arrests Four in Major Retail Cyber Attacks on M&S, Co-op, Harrods
- SharpLink Nears Record as Biggest Corporate Ethereum Holder
