Cyber security experts are urging operators of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances to get in front of a new vulnerability – quietly patched last week – that it is now believed could lead to a repeat of the infamous Citrix Bleed incident.
Tracked as CVE-2025-5777, the flaw arises from insufficient input validation, resulting in memory overread in various NetScaler configurations. Ultimately, its effect is to enable a threat actor to steal a valid session token from memory by inputting malicious requests, which means that they can get around authentication measures.
It affects multiple customer-managed versions of both ADC and Gateway, including two that have now entered end-of-life.
At the same time, Citrix patched CVE-2025-5349, which arises from improper access controls on the NetScaler management interface.
“Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible,” Citrix said in a 17 June security bulletin addressing the issues.
Citrix additionally recommends terminating active ICA and PCoIP sessions after all NetScaler appliances are upgraded. Its bulletin provides specific commands to do this.
If it bleeds, it leads
The similarities between CVE-2025-5777 and Citrix Bleed, CVE-2023-4966 are quite striking. Citrix Bleed was an information disclosure flaw that also enabled attackers to take control of authenticated sessions and bypass authentication methods, including multifactor authentication (MFA), which rendered it particularly dangerous.
First addressed in October 2023 – although it was exploited in the wild well before that – multiple ransomware gangs piled on in the wake of Citrix Bleed, notably LockBit which was still active at the time, and used it against Boeing. It swiftly became one of the most exploited vulnerabilities in the world, and was still being taken advantage of to great effect a year later.
At the time of writing, no evidence has emerged to suggest that anybody is taking advantage of CVE-2025-5777 in similar fashion, but writing on his blog, cyber analyst Kevin Beaumont described it as Citrix Bleed 2: Electric Boogaloo, and warned that since there is not yet any detection guidance, organisations that don’t wish to become case studies should patch immediately.
Benjamin Harris, CEO and founder of attack surface management specialist watchTowr, said it was likely that CVE-2025-577 was shaping up to be every bit as serious as Citrix Bleed.
In emailed comments, he noted that the details surrounding the new flaw had “quietly shifted” since its first disclosure, with a number of “fairly important” prerequisites or limitations being removed from the National Vulnerability Database (NVD) CVE description in the past few days.
“Specifically, the comment that this vulnerability was in the lesser-exposed management interface has now been removed – leading us to believe that this vulnerability is significantly more painful than perhaps first signalled,” said Harris.
“This vulnerability checks all the boxes for inevitable attacker interest. In the wild exploitation will happen at some point, and organisations should be dealing with this as an IT incident. Patch now – this vulnerability is likely to be in your KEV feeds soon.”
