Kevin BeaumontCitrix Netscaler customers - keep calm and patch CVE-2025-5777 from Tuesday.
It allows unauth memory reads, has similarities to CitrixBleed (CVE-2023-4966) as may allow session token theft.
An update on CVE-2025-5777, explaining why orgs should identify systems and patch.
https://doublepulsar.com/citrixbleed-2-electric-boogaloo-cve-2025-5777-c7f5e349d206
Worth noting that every write up says this vuln applies to the management interface - but that isn’t true, it’s because the initial CVE entry was wrong, and nobody does CVE entry updates in write ups.
A bit more on this. https://www.theregister.com/2025/06/24/critical_citrix_bug_citrixbleed/
Citrix on this one:
"At this time, there have been no reports or indications that the vulnerabilities described in CTX693420 (CVE-2025-5349 and CVE-2025-5777) are being actively exploited in the wild. However, due to the critical severity of these issues (CVSS scores of 8.7 and 9.3), We strongly recommends that affected customers apply the updated patches immediately to mitigate any potential risks."
NHS Digital's cyber alert database has been updated too. https://digital.nhs.uk/cyber-alerts/2025/cc-4670
I highly recommend bookmarking this site for the alerts, they're really good at filtering noise:
https://digital.nhs.uk/cyber-alerts
E.g. if you select 'high' category, there's only one a month on average
ReliaQuest are reporting with medium confidence that CitrixBleed2, Electric Boogaloo, is being exploited in the wild HT @CyberLeech https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/
My view on that is I don’t have the data to back it up (because Citrix haven’t provided any way to identify exploitation, including to customers), but if true and the threat actor is running those tools with that provider, it’s probably a ransomware group again.
Citrix blog on CVE-2025-5777 and some other ones https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/
NetScaler Critical Security Updates for CVE-2025-6543 and CVE-2025-5777
Over the past two weeks, Cloud Software Group has released builds to address CVE-2025-6543 and CVE 2025-5777, which affect NetScaler ADC and NetScaler Gateway if they are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR an Authentication Authorization and Auditing (“AAA”) virtual server. While both of the vulnerabilities involve the same modules, the exposures differ. CVE 2025-6543, if exploited, could lead to a memory overflow vulnerability, resulting in unintended control flow and Denial of Service. CVE 2025-5777 arises from insufficient input validation that leads to memory overread.
If you see this GitHub PoC for CVE-2025-5777 doing the rounds:
https://github.com/mingshenhk/CitrixBleed-2-CVE-2025-5777-PoC-
It’s not for CVE-2025-5777. It’s AI generated. The links in the README still have ChatGPT UTM sources.
The PoC itself is for a vuln addressed in 2023 - ChatGPT has hallucinated (made up) the cause of the vuln using an old BishopFox write up of the other vuln.
I’ve heard that Citrix are complaining me billing this CitrixBleed 2 is causing them reputational damage, and isn’t related in any way to CitrixBleed.
For the record - it was a dumb joke name to attraction attention for patching. I know it isn’t exactly the same cause.
But, ya know, it is a memory disclosure vuln which reveals sensitive info, and it does require ICA sessions be reset.. which only happened before with CitrixBleed.
I expect technical details of CVE-2025-5777 exploitation to become available next week.
Further suggestions CVE-2025-5777 details will release next week. https://xcancel.com/Horizon3Attack/status/1940879804221522279 via https://horizon3.ai
I've published my scan in progress of CVE-2025-5777 patching status, listing IPs, hostnames, Citrix Netscaler build numbers and if they're vulnerable to CitrixBleed2.
The scan isn't finished yet so these are only about a quarter of the results - unfortunately my coding skills are shite and it's really slow - should be finished over weekend or early next week.
Also, the SSL certificate hostnames are separated by comma which throws out CSV - sorry, I'll fix that later.
If anybody is wondering btw it's 4047 definitely vulnerable (so far) from 17021 scanned instances - so 24% unpatched after about 3 weeks.
But scan is still running obvs so the vuln number will keep growing.
If anybody likes stats
- Of the 42 identified NHS Netscalers so far, 37 are patched🥳 The NHS are really good at this nowadays.
- Of the 65 identified .gov.uk Netscalers so far, only 48 are patched 😅 All of the unpatched are councils, which are obviously severely budget constrained in many cases - I'm also not sure they actually know they're supposed to be patching.
First exploitation details for CVE-2025-5777 - the Netscaler vuln - are out. https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/
If you call the login page, it leaks memory in the response 🤣
I don’t want to specify too much extra technical info on this yet - but if you keep leaking the memory via requests, there’s a way to reestablish existing ICA sessions from the leaked memory.
Updated scan results for CVE-2025-5777: https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
It's still partial due to bugs, but about 18k servers.
CVE-2025-5777 is under active exploitation, since before the WatchTowr blog.
CVE-2025-5777 (Citrix Netscaler vuln) has been under active exploitation since mid June, with people dumping memory and using this to try to access sessions.
TTPs to hunt for:
- In Netscaler logs, repeated POST requests to *doAuthentication* - each one yields 126 bytes of RAM
- In Netscaler logs, requests to doAuthentication.do with "Content-Length: 5"
- In Netscaler user logs, lines with *LOGOFF* and user = "*#*" (i.e. # symbol in the username). RAM is played into the wrong field.
Horizon3 have a good write up here, I don't think they were aware this is already being exploited for almost a month: https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/
Worth noting I was only able to find exploitation activity due to the WatchTowr and Horizon3 write ups - Citrix support wouldn't disclose any IOCs and incorrectly claimed (again - happened with CitrixBleed) that no exploitation in the wild. Citrix have gotta get better at this, they're harming customers.
Just to be super clear, although Citrix claim that CitrixBleed 2 is in no way related to CitrixBleed, it allows direct session token theft - Citrix are wrong. Horizon3 have the POC and it's already being exploited - Citrix were also wrong.
"Not the most novel thing in the world… but this is much much worse than it initially appears. Take a look at the following video where you’ll see that it’s possible to receive legitimate user session tokens via this vector. "
Exploitation IOCs for CVE-2025-5777 aka CitrixBleed 2, these are actively stealing sessions to bypass MFA for almost a month. Some are also doing Netscaler fingerprint scanning first.
64.176.50.109
139.162.47.194
38.154.237.100
38.180.148.215
102.129.235.108
121.237.80.241
45.135.232.2
HT @ntkramer and the folks at @greynoise
Look for lots of connections to your Netscaler devices over past 30 days. More IPs coming as also under mass exploitation. More IPs: https://viz.greynoise.io/tags/citrixbleed-2-cve-2025-5777-attempt?days=30
More from @greynoise telemetry - they now push CVE-2025-5777 (CitrixBleed 2) exploitation to June 23rd. I can push it back further, blog incoming.
I wrote up a thing on how to hunt for CitrixBleed 2 exploitation
https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71
There’s 7 more IPs on GreyNoise exploiting CitrixBleed 2 today, all marked as malicious. https://viz.greynoise.io/query/tags:%22CitrixBleed%202%20CVE-2025-5777%20Attempt%22%20last_seen:90d
“Citrix declined to say if it's aware of active exploitation”
I believe Citrix may have made a mistake in the patching instructions for CitrixBleed2 aka CVE-2025-5777.
They say to do the instructions on the left, but they appear to have missed other session types (e.g. AAA) which have session cookies that can be stolen and replayed with CitrixBleed2. On the right is the CitrixBleed1 instructions.
The net impact is, if you patched but a threat actor already took system memory, they can still reuse prior sessions.
Tell anybody you know at Citrix.
CatButtes 
@GossiTheDog does anybody hear that statement and think anything other than “Citrix is aware that there is widespread, active exploitation. They just don’t want to admit it because it makes them look bad”?
jaKa Močnik@GossiTheDog well, they already stated it in the sentence above. :D
TheTomas@GossiTheDog First Victims in Switzerland and Germany
Jérôme Meyer@GossiTheDog I had a look at network traffic from today and some of them are proxy exit nodes; some do broad IoT scanning.
Two of them really stick out as they seem to exclusively target Citrix endpoints: 78.128.113.30 and 38.54.59.96
Ketumbra@GossiTheDog "I wrote this vuln back on June 24th..."
Pretty sure that's not what you meant ;)
Pretty sure that's not what you meant ;)
JJ@GossiTheDog Thanks so much for this info and for all the info provided prior to this. I was able to confirm with our Citrix team two weeks ago that we were patched already, and I'm just getting emails this week from higher ups to look into this, so I'm very much ahead of the game.
Aside from social media, is there anywhere you suggest keeping an eye on daily for vulnerability info?
Martin S 🚩❤️✊ 🇵🇸🇺🇦
Lowlands@GossiTheDog seeing the first hits from one of the mentioned IPs on 6/20.
Darses@GossiTheDog @ntkramer @greynoise
My own honeypot only sees activity from Private VPN. No fingerprinting first. Most POST /p/u/doAuthentication.do, some POST /nf/auth/doAuthentication.do. User-Agent: "Vuln3rableVuln3rable..."
2025-07-07
190.60.16.26
103.27.203.82
45.9.249.58
185.94.192.162
128.1.160.146
200.110.153.22
2025-07-06
193.37.253.202
200.110.153.22
217.138.222.66
82.221.113.209
80.239.140.197
Emory@GossiTheDog was CitrixBleed the one that Citrix issued a patch for that didn't actually fix the vulnerability in like Nov 2023?
meriksson@GossiTheDog Great artwork as always.
husjon.dev@GossiTheDog I'm glad to see my image contribution is still going strong with new iterations 😅
(original: https://fosstodon.org/@husjon/111308387657992171)
(original: https://fosstodon.org/@husjon/111308387657992171)
gmmds@GossiTheDog Just in case it’s useful, I’m seeing a lot of “Authentication is rejected for (client ip : <ip>” messages when after “for” I’d normally see a user name. Don’t know whether it’s related to cve-2025-5777 but if I search further in the logs for the source ip then I see that the browser value submitted is just a repeated string (like in the WatchTowr post) Strangely no hits from this guy on /p/u/doAuthentication.do (others in the logs have hit that)
kcarruthers@GossiTheDog is it time to don’t panic yet?
SanCla 🤘@GossiTheDog Thank god everyone patched this before the weekend 🫨😭
Christoffer S.@GossiTheDog From watchtowr: "As we have discussed previously, we have a moral compass next to one of our favourite magnets, and we use it to guide our decision-making process."
Cyberstern@GossiTheDog wow that’s wild! how can that even happen? Wait… i do NOT want to know… alone thinking about the code that could do such a thing hurts
Space Invader@dunkelstern thankfully, being closed source, no LLMs can be trained on the sort of code that reads a random chunk of RAM and returns it in the response.
But sadly, being closed source, there’s no way to gawk at the eldritch horror this must be.
Latte macchiato 
@GossiTheDog why is all the citrix software such a complete nightmare
fuzzyfuzzyfungus@privateger @GossiTheDog It's honestly darkly impressive. ICA vs. RDP was a pretty compelling beatdown at one time; but that was a no, of course I'm not that old, time ago; and basically everything they've touched since is a matter of indifference or distaste.
Normally I'd jump straight to blaming the private equity knackers; but in this case I can see why they were headed to the bone mill.
Robert Gützkow@GossiTheDog that's an impressively bad implementation error to have on the login page.
@GossiTheDog Will the cybercommunity keep CVE alive in some form?
Alex@GossiTheDog would this take 3 out of 6 months to find perl developers or am I thinking of a different vulnerability?
@GossiTheDog I wish they'd just put autoupdates on these things for orgs who can't manage it manually. 5 Min downtime at midnight local timezone wouldn't hurt much - 1 month downtime because of ransomware compromise really will...
Edge 🇨🇦🇲🇽🇺🇦🏳️🌈I absolutely love how little of this I understand, but that it makes me go back through the whole thread, and now I've learned a whole new thing to be concerned about.
JP@GossiTheDog thanks for validating my patching teams good work.
Jason Tubnor 🇦🇺@Jplonie @GossiTheDog Excellent news!
Oriel Jutty 
@GossiTheDog The hostnames field can be properly CSV'd by something like perl -pe 's/,/,"/; s/(,[^,]*,[^,]*$)/"$1/'
(Assuming a unix-ish shell. With cmd.exe you probably have to turn the inner " into ^" and the outer ' into ".)
@GossiTheDog No wibecoding?
susika512 
@GossiTheDog excellent work 🤠
Jason Haar 
@GossiTheDog use tab delimited. Almost no data contains tabs, much better than csv
Ryosuke Eto@GossiTheDog Thank you for the list of scan results. Was the first day you ran the scan July 6, or have you been doing it for longer?
ineedsleeps@GossiTheDog but they're good with the "Electric Boogaloo" subtitle?
just_one_bear@GossiTheDog As with so much in this world: "The little stupid differences are outweighed by the big stupid similarities."
he1ix@GossiTheDog im surprised to read they care about their reputation.
That's really difficult to imagine, given their track record of security problems.
Various_Canaries@GossiTheDog What about "Electric Bugaloo?" Lmao I bet they love that
Amar Kulo@GossiTheDog I would say that increasing licensing prices 240% in a Broadcom style does them more reputational damage than this
Martin Boller 
@GossiTheDog They should quit whining and do something about their crappy code + thank you for trying to get people to do something about it! Heck they should be sending you $$$
Manuel Tejera@GossiTheDog Vibe coder strikes again.