The vulnerability, designated CVE-2025-5777 and dubbed “CitrixBleed 2,” represents a significant security concern for organizations relying on Citrix infrastructure.
Cybersecurity researchers at GreyNoise have discovered that malicious actors began exploiting a critical vulnerability in Citrix NetScaler systems nearly two weeks before a public proof-of-concept became available, highlighting the growing sophistication of threat actors in identifying and weaponizing zero-day vulnerabilities.
GreyNoise security researchers first observed active exploitation attempts against CVE-2025-5777 on June 23, 2025, marking the beginning of what would become a sustained campaign targeting the memory overread vulnerability in Citrix NetScaler appliances.
This timeline reveals a concerning 11-day gap between the initial exploitation attempts and the public release of a proof-of-concept on July 4, 2025.
The discovery was made possible through GreyNoise’s comprehensive internet scanning infrastructure, which retroactively tracks malicious activity when new threat tags are created.
The company established a dedicated tracking tag on July 7, 2025, enabling security teams to monitor ongoing exploitation attempts through the GreyNoise Visualizer platform.
.png)
This retroactive capability proved crucial in establishing the true timeline of the attack campaign and understanding the scope of pre-disclosure exploitation.
The early exploitation timeline suggests that threat actors either discovered the vulnerability independently or gained access to information about it through undisclosed channels.
This pattern of pre-disclosure exploitation has become increasingly common as cybercriminals develop more sophisticated vulnerability research capabilities and establish networks for sharing zero-day information.
CitrixBleed 2 Vulnerability
Analysis of the exploitation attempts revealed deliberate and sophisticated targeting behavior, with malicious IP addresses primarily originating from China.
Rather than conducting broad, indiscriminate scanning typical of opportunistic attacks, these threat actors demonstrated precise targeting capabilities by specifically focusing on GreyNoise sensors configured to emulate Citrix NetScaler appliances.
This targeted approach indicates that the attackers possessed detailed knowledge of Citrix NetScaler infrastructure and were likely conducting reconnaissance to identify vulnerable systems before launching their exploitation attempts.
The geographic concentration of attacking IP addresses in China, combined with the sophisticated targeting methodology, suggests potential coordination among threat actors or the involvement of organized cybercriminal groups.
The precision of these attacks raises additional concerns about the potential for widespread compromise of Citrix NetScaler systems, particularly given the critical role these appliances play in enterprise network infrastructure.
Organizations using Citrix NetScaler technology may have been exposed to this vulnerability for an extended period before becoming aware of the threat.
Security Recommendations
The severity and active exploitation of CVE-2025-5777 prompted rapid response from the Cybersecurity and Infrastructure Security Agency (CISA).
On July 9, 2025, just two days after GreyNoise published their tracking tag, CISA contacted the security firm to confirm the exploitation activity they had observed.
This swift communication led to the vulnerability’s inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog, emphasizing the critical nature of the threat.
Security experts recommend that organizations implement immediate defensive measures, including dynamically blocking malicious IP addresses associated with exploitation attempts.
GreyNoise maintains an updated list of malicious IPs targeting CVE-2025-5777, providing defenders with actionable intelligence to reduce their exposure and suppress security alerts.
The incident underscores the importance of proactive threat hunting and the value of early warning systems in identifying emerging cyber threats before they become widespread security incidents.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
![Pinterest](https://pinterest.com/pin/create/button/?url=https://thecybernews.com/citrixbleed-2-vulnerability/&media=https://i2.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoShxpJGN6fcBKhk0DYHavLYGpgfhEptbtEHNb9BwExdNaMePw6mUapMn_e49zYcz153cISx2NbyxZo-svoNMl_klC83SdaAgrfsHgmbo0l-Nbq9qjzzAXqtAl9jsQffspSuGGQrgfpgeA0dZSiVmc82Cp2Fyt-IFkh2dzChZOoFRA5128suAbuh_oJzIz/s16000/Hackers%20Exploited%20CitrixBleed%202%20Vulnerability.webp?resize=1600,900&ssl=1&description=The vulnerability, designated CVE-2025-5777 and dubbed "CitrixBleed 2," represents a significant security concern for organizations relying on Citrix infrastructure.){kind=link}