CISA Confirms Citrix Bleed 2 Vulnerability Actively Exploited

  • CISA added a critical Citrix NetScaler vulnerability (CVE-2025-5777) to its Known Exploited Vulnerabilities Catalog after confirmation of active attacks.
  • The vulnerability, called “Citrix Bleed 2,” allows authentication bypass and memory overreads, leading to potential exposure of sensitive data.
  • Security researchers and vendors have reported ongoing exploitation by attackers, despite Citrix not yet updating its own advisories.
  • Attackers target critical network appliances, putting enterprise networks at risk, while CISA recommends immediate patching and forced session termination.
  • Other vulnerabilities, such as CVE-2024-36401 in GeoServer, are also being used in attacks, including the deployment of crypto mining Malware.

On July 10, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw affecting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) catalog. This move confirms that the vulnerability, identified as CVE-2025-5777, is being used in active cyberattacks.

- Advertisement -

CVE-2025-5777, also known as “Citrix Bleed 2,” carries a CVSS score of 9.3. The vulnerability exists due to insufficient input validation. When exploited, it permits attackers to bypass authentication on systems set up as a Gateway or AAA virtual server. This issue causes a memory overread, potentially revealing sensitive information.

A report by security researcher Kevin Beaumont stated exploitation began in mid-June. One of the attacker IP addresses was reportedly linked to the RansomHub Ransomware group. Data from GreyNoise indicated 10 malicious IP addresses from multiple countries, with the United States, France, Germany, India, and Italy as top targets. Citrix has not confirmed exploit activity in its official advisories as of June 26, 2025.

The vulnerability’s risk is high because affected devices often serve as VPNs or authentication servers. “Session tokens and other sensitive data can be exposed — potentially enabling unauthorized access to internal applications, VPNs, data center networks, and internal networks,” according to Akamai. Experts warn that attackers may gain wider access to corporate networks by exploiting vulnerable appliances and pivoting to other internal systems.

CISA advises all organizations to update to Citrix’s patched builds listed in its June 17 advisory, such as version 14.1-43.56 or later. After patching, administrators should end all active sessions to invalidate any stolen authentication tokens. Security teams should review logs for unusual activity on authentication endpoints, as this flaw can enable token theft and session replay without leaving standard malware traces.

In separate incidents, attackers are exploiting a critical flaw in OSGeo GeoServer GeoTools (CVE-2024-36401, CVSS score: 9.8) to install NetCat and XMRig coin miners in South Korea. Once installed, these miners use system resources to generate cryptocurrency, with NetCat enabling further malicious actions or data theft.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

- Advertisement -

Previous Articles:

Stay in the Loop

Get exclusive crypto insights, breaking news, and market analysis delivered straight to your inbox. No fluff, just facts.

    1 Email per day. Unsubscribe at any time.

    - Advertisement -

    Latest News

    Citrix Patches Critical NetScaler RCE Flaw Amid Active Attacks

    Citrix addressed three security vulnerabilities in NetScaler ADC and NetScaler Gateway, one of which...

    CME XRP Futures Hit $1B Fastest Ever as Gemini Tops Coinbase App

    CME Group XRP futures reached $1 billion in open interest in just over three...

    Gemini Unveils XRP Mastercard: No New Perks, Just Blue Branding

    Gemini has released an "XRP Edition" of its credit card in partnership with Mastercard.The...

    Google Unveils Gemini 2.5 Flash Image to Rival OpenAI’s ChatGPT

    Google released Gemini 2.5 Flash Image, its latest AI tool for image generation and...

    MixShell Malware Targets U.S. Manufacturers in ZipLine Attack

    Attackers are targeting supply chain-related manufacturing companies using an in-memory Malware called MixShell.The campaign,...

    Must Read

    7 Best NFT Marketplaces for Every Need

    Open Sea | Pianity | Foundation | Magic Eden | SuperRare | Rarible | Theta Drop | Other Platforms | About NFTs | FAQ...