A critical vulnerability in Citrix NetScaler devices, dubbed “CitrixBleed 2,” has become a prime target for cybercriminals following the public disclosure of exploitation techniques.
The flaw, identified as CVE-2025-5777, was initially reported to Citrix customers on June 17, 2025, and has since sparked widespread scanning and exploitation attempts across the internet.
The CitrixBleed 2 vulnerability represents a significant security risk for organizations using affected Citrix NetScaler ADC and Gateway devices.
The flaw stems from an uninitialized login variable combined with improper memory handling in the authentication function written in C/C++.
This technical oversight allows unauthenticated attackers to access sensitive memory content by targeting the URL path /p/u/doAuthentication.do without requiring any prior authentication.
The vulnerability affects multiple versions of NetScaler devices, including NetScaler ADC and Gateway 14.1 before 14.1-43.56, version 13.1 before 13.1-58.32, and several FIPS-enabled versions.
These devices often serve as VPNs, proxies, or AAA virtual servers, making them attractive targets for cybercriminals seeking to infiltrate corporate networks.
The exploitation technique involves sending crafted requests with oversized User-Agent headers containing recognizable patterns.
When successful, the attack causes the device to leak stack memory content through XML tags in the response, potentially exposing session tokens, passwords, usernames, and configuration data.
This “bleeding” effect can be repeated continuously, allowing attackers to extract substantial amounts of sensitive information from the same target.
Security researchers have observed a dramatic escalation in exploitation attempts since the vulnerability’s disclosure.
On July 8, 2025, monitoring systems detected over 200,000 POST requests targeting the vulnerable authentication endpoint across multiple hostnames and IP addresses.
This large-scale scanning campaign indicates organized efforts by threat actors to identify vulnerable NetScaler instances across the internet.
The vulnerability’s name, “CitrixBleed 2,” references both its memory-leaking behavior and its connection to the original CitrixBleed vulnerability (CVE-2023-4966) discovered in 2023.
While the previous flaw involved malformed Host headers, the current iteration exploits uninitialized variables in the authentication logic.
Organizations using affected Citrix NetScaler devices should immediately apply available patches and implement monitoring for suspicious authentication requests.
Akamai’s App & API Protector customers are protected through Rapid Rule 3000967, which was deployed on July 7, 2025, with a default “Alert” action, subsequently upgraded to “Deny” on July 8.
The vulnerability’s ease of exploitation, combined with the critical nature of the affected devices, makes immediate remediation essential.
Organizations should also conduct thorough security audits to identify potential unauthorized access attempts, as attackers may have already leveraged leaked credentials for lateral movement within compromised networks.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…