Cybercriminals Targeting CitrixBleed 2 Flaw for Malicious Exploits

A critical vulnerability in Citrix NetScaler devices, dubbed “CitrixBleed 2,” has become a prime target for cybercriminals following the public disclosure of exploitation techniques.

The flaw, identified as CVE-2025-5777, was initially reported to Citrix customers on June 17, 2025, and has since sparked widespread scanning and exploitation attempts across the internet.

Vulnerability Enables Widespread Data Exposure

The CitrixBleed 2 vulnerability represents a significant security risk for organizations using affected Citrix NetScaler ADC and Gateway devices.

The flaw stems from an uninitialized login variable combined with improper memory handling in the authentication function written in C/C++.

This technical oversight allows unauthenticated attackers to access sensitive memory content by targeting the URL path /p/u/doAuthentication.do without requiring any prior authentication.

The vulnerability affects multiple versions of NetScaler devices, including NetScaler ADC and Gateway 14.1 before 14.1-43.56, version 13.1 before 13.1-58.32, and several FIPS-enabled versions.

These devices often serve as VPNs, proxies, or AAA virtual servers, making them attractive targets for cybercriminals seeking to infiltrate corporate networks.

The exploitation technique involves sending crafted requests with oversized User-Agent headers containing recognizable patterns.

When successful, the attack causes the device to leak stack memory content through XML tags in the response, potentially exposing session tokens, passwords, usernames, and configuration data.

This “bleeding” effect can be repeated continuously, allowing attackers to extract substantial amounts of sensitive information from the same target.

Mass Scanning Campaign Detected

Security researchers have observed a dramatic escalation in exploitation attempts since the vulnerability’s disclosure.

On July 8, 2025, monitoring systems detected over 200,000 POST requests targeting the vulnerable authentication endpoint across multiple hostnames and IP addresses.

This large-scale scanning campaign indicates organized efforts by threat actors to identify vulnerable NetScaler instances across the internet.

The vulnerability’s name, “CitrixBleed 2,” references both its memory-leaking behavior and its connection to the original CitrixBleed vulnerability (CVE-2023-4966) discovered in 2023.

While the previous flaw involved malformed Host headers, the current iteration exploits uninitialized variables in the authentication logic.

Immediate Action Required

Organizations using affected Citrix NetScaler devices should immediately apply available patches and implement monitoring for suspicious authentication requests.

Akamai’s App & API Protector customers are protected through Rapid Rule 3000967, which was deployed on July 7, 2025, with a default “Alert” action, subsequently upgraded to “Deny” on July 8.

The vulnerability’s ease of exploitation, combined with the critical nature of the affected devices, makes immediate remediation essential.

Organizations should also conduct thorough security audits to identify potential unauthorized access attempts, as attackers may have already leveraged leaked credentials for lateral movement within compromised networks.