The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included a significant security vulnerability affecting Citrix NetScaler ADC and Gateway in its Known Exploited Vulnerabilities catalog. This vulnerability, identified as CVE-2025-5777, has been confirmed to be exploited in the wild.
CVE-2025-5777 carries a CVSS score of 9.3 and is characterized by insufficient input validation, allowing an attacker to circumvent authentication when the appliance is configured as a Gateway or Authentication, Authorization, and Accounting (AAA) virtual server. The flaw is also referred to as "Citrix Bleed 2" due to its resemblance to a previous vulnerability known as Citrix Bleed (CVE-2023-4966).
According to CISA, "Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation," which can result in memory overread when configured as a Gateway or AAA virtual server. Although various security vendors have reported real-world exploitation of this flaw, Citrix has not updated its advisories to confirm this information. Anil Shetty, the Senior Vice President of Engineering at NetScaler, stated on June 26, 2025, that there was no evidence suggesting exploitation of CVE-2025-5777 at that time.
However, security researcher Kevin Beaumont reported that exploitation of the Citrix Bleed 2 began as far back as mid-June. Additionally, data from GreyNoise indicates that exploitation attempts have originated from 10 unique malicious IP addresses across various countries, including Bulgaria, the United States, and China, targeting networks primarily in the United States, France, and Germany.
CISA’s action comes shortly after another vulnerability in the same product, CVE-2025-6543, was also identified as being actively exploited. This flaw also holds a high CVSS score and was added to the KEV catalog on June 30, 2025.
Akamai describes the Citrix Bleed flaw’s nature by noting that the memory leak can be repeatedly triggered by sending the same payload, leading to the exposure of sensitive information, including session tokens and other critical data that could facilitate unauthorized access to internal systems.
To address this vulnerability, organizations are urged to update to the patched versions listed in Citrix’s advisory from June 17, 2025. It is recommended that all active sessions, particularly those authenticated via AAA or Gateway, be terminated to invalidate any potentially stolen tokens. Administrators should also monitor logs for suspicious activities and take note of any unexpected XML data in responses, indicating exploitation attempts.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.