The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) catalog, officially confirming the vulnerability has been weaponized in the wild.
The shortcoming in question is CVE-2025-5777 (CVSS score: 9.3), an instance of insufficient input validation that could be exploited by an attacker to bypass authentication when the appliance is configured as a Gateway or AAA virtual server. It’s also called Citrix Bleed 2 owing to its similarities with Citrix Bleed (CVE-2023-4966).
“Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation,” the agency said. “This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.”
Although multiple security vendors have since reported that the flaw has been exploited in real-world attacks, Citrix has yet to update its own advisories to reflect this aspect. As of June 26, 2025, Anil Shetty, senior vice president of engineering at NetScaler, said, “there is no evidence to suggest exploitation of CVE-2025-5777.”
However, security researcher Kevin Beaumont, in a report published this week, said the Citrix Bleed 2 exploitation started as far back as mid-June, adding one of the IP addresses carrying out the attacks has been previously linked to RansomHub ransomware activity.
Data from GreyNoise shows that exploitation efforts are originating from 10 unique malicious IP addresses located in Bulgaria, the United States, China, Egypt, and Finland over the past 30 days. The primary targets of these efforts are the United States, France, Germany, India, and Italy.
The addition of CVE-2025-5777 to the KEV catalog comes as another flaw in the same product (CVE-2025-6543, CVSS score: 9.2) has also come under active exploitation in the wild. CISA added the flaw to the KEV catalog on June 30, 2025.
“The term ‘Citrix Bleed’ is used because the memory leak can be triggered repeatedly by sending the same payload, with each attempt leaking a new chunk of stack memory — effectively ‘bleeding’ sensitive information,” Akamai said, warning of a “drastic increase of vulnerability scanner traffic” after exploit details became public.
“This flaw can have dire consequences, considering that the affected devices can be configured as VPNs, proxies, or AAA virtual servers. Session tokens and other sensitive data can be exposed — potentially enabling unauthorized access to internal applications, VPNs, data center networks, and internal networks.”
Because these appliances often serve as centralized entry points into enterprise networks, attackers can pivot from stolen sessions to access single sign-on portals, cloud dashboards, or privileged admin interfaces. This type of lateral movement—where a foothold quickly becomes full network access—is especially dangerous in hybrid IT environments with weak internal segmentation.
To mitigate this flaw, organizations should immediately upgrade to the patched builds listed in Citrix’s June 17 advisory, including version 14.1-43.56 and later. After patching, all active sessions—especially those authenticated via AAA or Gateway—should be forcibly terminated to invalidate any stolen tokens.
Admins are also encouraged to inspect logs (e.g., ns.log) for suspicious requests to authentication endpoints such as /p/u/doAuthentication.do, and review responses for unexpected XML data like <InitialValue> fields. Since the vulnerability is a memory overread, it does not leave traditional malware traces—making token hijack and session replay the most urgent concerns.
The development also follows reports of active exploitation of a critical security vulnerability in OSGeo GeoServer GeoTools (CVE-2024-36401, CVSS score: 9.8) to deploy NetCat and the XMRig cryptocurrency miner in attacks targeting South Korea by means of PowerShell and shell scripts. CISA added the flaw to the KEV catalog in July 2024.
“Threat actors are targeting environments with vulnerable GeoServer installations, including those of Windows and Linux, and have installed NetCat and XMRig coin miner,” AhnLab said.
“When a coin miner is installed, it uses the system’s resources to mine the threat actor’s Monero coins. The threat actor can then use the installed NetCat to perform various malicious behaviors, such as installing other malware or stealing information from the system.”
