Kevin BeaumontCitrix Netscaler customers - keep calm and patch CVE-2025-5777 from Tuesday.
It allows unauth memory reads, has similarities to CitrixBleed (CVE-2023-4966) as may allow session token theft.
An update on CVE-2025-5777, explaining why orgs should identify systems and patch.
https://doublepulsar.com/citrixbleed-2-electric-boogaloo-cve-2025-5777-c7f5e349d206
Worth noting that every write up says this vuln applies to the management interface - but that isn’t true, it’s because the initial CVE entry was wrong, and nobody does CVE entry updates in write ups.
A bit more on this. https://www.theregister.com/2025/06/24/critical_citrix_bug_citrixbleed/
Citrix on this one:
"At this time, there have been no reports or indications that the vulnerabilities described in CTX693420 (CVE-2025-5349 and CVE-2025-5777) are being actively exploited in the wild. However, due to the critical severity of these issues (CVSS scores of 8.7 and 9.3), We strongly recommends that affected customers apply the updated patches immediately to mitigate any potential risks."
NHS Digital's cyber alert database has been updated too. https://digital.nhs.uk/cyber-alerts/2025/cc-4670
I highly recommend bookmarking this site for the alerts, they're really good at filtering noise:
https://digital.nhs.uk/cyber-alerts
E.g. if you select 'high' category, there's only one a month on average
ReliaQuest are reporting with medium confidence that CitrixBleed2, Electric Boogaloo, is being exploited in the wild HT @CyberLeech https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/
My view on that is I don’t have the data to back it up (because Citrix haven’t provided any way to identify exploitation, including to customers), but if true and the threat actor is running those tools with that provider, it’s probably a ransomware group again.
Citrix blog on CVE-2025-5777 and some other ones https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/
NetScaler Critical Security Updates for CVE-2025-6543 and CVE-2025-5777
Over the past two weeks, Cloud Software Group has released builds to address CVE-2025-6543 and CVE 2025-5777, which affect NetScaler ADC and NetScaler Gateway if they are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR an Authentication Authorization and Auditing (“AAA”) virtual server. While both of the vulnerabilities involve the same modules, the exposures differ. CVE 2025-6543, if exploited, could lead to a memory overflow vulnerability, resulting in unintended control flow and Denial of Service. CVE 2025-5777 arises from insufficient input validation that leads to memory overread.
If you see this GitHub PoC for CVE-2025-5777 doing the rounds:
https://github.com/mingshenhk/CitrixBleed-2-CVE-2025-5777-PoC-
It’s not for CVE-2025-5777. It’s AI generated. The links in the README still have ChatGPT UTM sources.
The PoC itself is for a vuln addressed in 2023 - ChatGPT has hallucinated (made up) the cause of the vuln using an old BishopFox write up of the other vuln.
I’ve heard that Citrix are complaining me billing this CitrixBleed 2 is causing them reputational damage, and isn’t related in any way to CitrixBleed.
For the record - it was a dumb joke name to attraction attention for patching. I know it isn’t exactly the same cause.
But, ya know, it is a memory disclosure vuln which reveals sensitive info, and it does require ICA sessions be reset.. which only happened before with CitrixBleed.
I expect technical details of CVE-2025-5777 exploitation to become available next week.
Further suggestions CVE-2025-5777 details will release next week. https://xcancel.com/Horizon3Attack/status/1940879804221522279 via https://horizon3.ai
I've published my scan in progress of CVE-2025-5777 patching status, listing IPs, hostnames, Citrix Netscaler build numbers and if they're vulnerable to CitrixBleed2.
The scan isn't finished yet so these are only about a quarter of the results - unfortunately my coding skills are shite and it's really slow - should be finished over weekend or early next week.
Also, the SSL certificate hostnames are separated by comma which throws out CSV - sorry, I'll fix that later.
If anybody is wondering btw it's 4047 definitely vulnerable (so far) from 17021 scanned instances - so 24% unpatched after about 3 weeks.
But scan is still running obvs so the vuln number will keep growing.
If anybody likes stats
- Of the 42 identified NHS Netscalers so far, 37 are patched🥳 The NHS are really good at this nowadays.
- Of the 65 identified .gov.uk Netscalers so far, only 48 are patched 😅 All of the unpatched are councils, which are obviously severely budget constrained in many cases - I'm also not sure they actually know they're supposed to be patching.
First exploitation details for CVE-2025-5777 - the Netscaler vuln - are out. https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/
If you call the login page, it leaks memory in the response 🤣
I don’t want to specify too much extra technical info on this yet - but if you keep leaking the memory via requests, there’s a way to reestablish existing ICA sessions from the leaked memory.
Updated scan results for CVE-2025-5777: https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
It's still partial due to bugs, but about 18k servers.
CVE-2025-5777 is under active exploitation, since before the WatchTowr blog.
CVE-2025-5777 (Citrix Netscaler vuln) has been under active exploitation since mid June, with people dumping memory and using this to try to access sessions.
TTPs to hunt for:
- In Netscaler logs, repeated POST requests to *doAuthentication* - each one yields 126 bytes of RAM
- In Netscaler logs, requests to doAuthentication.do with "Content-Length: 5"
- In Netscaler user logs, lines with *LOGOFF* and user = "*#*" (i.e. # symbol in the username). RAM is played into the wrong field.
Horizon3 have a good write up here, I don't think they were aware this is already being exploited for almost a month: https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/
Worth noting I was only able to find exploitation activity due to the WatchTowr and Horizon3 write ups - Citrix support wouldn't disclose any IOCs and incorrectly claimed (again - happened with CitrixBleed) that no exploitation in the wild. Citrix have gotta get better at this, they're harming customers.
Just to be super clear, although Citrix claim that CitrixBleed 2 is in no way related to CitrixBleed, it allows direct session token theft - Citrix are wrong. Horizon3 have the POC and it's already being exploited - Citrix were also wrong.
"Not the most novel thing in the world… but this is much much worse than it initially appears. Take a look at the following video where you’ll see that it’s possible to receive legitimate user session tokens via this vector. "
Exploitation IOCs for CVE-2025-5777 aka CitrixBleed 2, these are actively stealing sessions to bypass MFA for almost a month. Some are also doing Netscaler fingerprint scanning first.
64.176.50.109
139.162.47.194
38.154.237.100
38.180.148.215
102.129.235.108
121.237.80.241
45.135.232.2
HT @ntkramer and the folks at @greynoise
Look for lots of connections to your Netscaler devices over past 30 days. More IPs coming as also under mass exploitation. More IPs: https://viz.greynoise.io/tags/citrixbleed-2-cve-2025-5777-attempt?days=30
More from @greynoise telemetry - they now push CVE-2025-5777 (CitrixBleed 2) exploitation to June 23rd. I can push it back further, blog incoming.
I wrote up a thing on how to hunt for CitrixBleed 2 exploitation
https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71
There’s 7 more IPs on GreyNoise exploiting CitrixBleed 2 today, all marked as malicious. https://viz.greynoise.io/query/tags:%22CitrixBleed%202%20CVE-2025-5777%20Attempt%22%20last_seen:90d
“Citrix declined to say if it's aware of active exploitation”
I believe Citrix may have made a mistake in the patching instructions for CitrixBleed2 aka CVE-2025-5777.
They say to do the instructions on the left, but they appear to have missed other session types (e.g. AAA) which have session cookies that can be stolen and replayed with CitrixBleed2. On the right is the CitrixBleed1 instructions.
The net impact is, if you patched but a threat actor already took system memory, they can still reuse prior sessions.
Tell anybody you know at Citrix.
CISA have modified the CVE-2025-5777 entry to link to my blog 🙌 I’m hoping this gets more visibility as a bunch of us can see from Netflow ongoing threat actor Netscaler sessions to.. sensitive orgs.
CVE-2025-5777 aka CitrixBleed 2 has been added to CISA KEV now over evidence of active exploitation.
Citrix are still declining to comment about evidence of exploitation as of writing.
This is how Citrix are styling Citrix Bleed 2 btw. In the blog there’s no technical details or detection details or acknowledgement of exploitation. They also directly blame NIST for their CVE description.
From Netflow I can see active victims - including systems owned by the US federal government - so strap in to see where this goes.
Some CitrixBleed2 IOCs; this is a cluster of what appears to be China going brrr, going on for weeks.
38.154.237.100
38.54.59.96
Updated CitrixBleed2 scan results of vuln/not vuln
https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
CISA is giving all civilian agencies 1 day to remediate CitrixBleed 2. It is encouraging all other organisations in the US to do this too.
https://therecord.media/cisa-orders-agencies-patch-citrix-bleed-2
CISA orders agencies to immediately patch Citrix Bleed 2, saying bug poses ‘unacceptable risk’
The one-day deadline issued by CISA on Thursday appears to be the shortest one ever issued. Federal civilian agencies are typically given three weeks to patch bugs added to the known exploited vulnerability catalog.
Set up lab of Netscalers just now & owned them.
Two learnings:
1) the default logging isn’t enough to know if you’ve been exploited. So if you’re wondering where the victims are, they don’t know they’re victims as checks will come back clean unless they increased logging before. FW logs w/ IOCs fall back option.
2) the Citrix instructions post patch to clear sessions don’t include the correct session types - ICA will just reconnect as you (threat actor) still have the valid NSC_AAAC cookie.
If you ask Citrix support for IOCs for CVE-2025-5777 and they send you a script to run that looks for .php files - they’ve sent you an unrelated script, which has nothing to do with session hijacking or memory overread.
Updated CitrixBleed 2 scan results: https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
It's down from 24% unpatched to 17% unpatched
The results are partial still, the actual numbers still vuln will be higher.
Imperva WAF have added detection and blocking for CitrixBleed 2 this weekend.
They see it being widely sprayed across the internet today - almost 12 million requests, log4shell level.
The only major vendor I’ve seen who hasn’t added a WAF rule is Citrix - they sell a WAF upsell module for Netscaler, but failed to add detection for their own vulnerability.
Updated Citrix scan results will go on Github in a few days, I've found a bug in the scan results setup which should add ~33% more hosts when fixed.
Spoiler:
CitrixBleed 2 update.
- Citrix have finally, quietly admitted exploitation in the wild -- by not commenting to press and then editing an old blog post and not mentioning it on their security update page.
- Orgs have been under attack from threat actors in Russia and China since June
- It's now under spray and pray, wide exploitation attempts.
https://doublepulsar.com/citrixbleed-2-situation-update-everybody-already-got-owned-503c6d06da9f
Citrix Netscaler internet scan still running, it's found another 1k vulnerable instances so far - will probably update Github later today or tomorrow morning.
It looks like we're back up to 18% of boxes being still vulnerable when the new list is out. It looks like a lot of orgs are patching from my list.
New CitrixBleed 2 scan data:
+7000 extra hosts added this round, host list is so large you need to use the raw view to see it.
Next set of data publication likely Friday, a month since the patch became available.
3832 orgs/hosts still unpatched.
GreyNoise blog just out about #CitrixBleed2, they see exploitation from IPs in China from June 23rd targeting specifically Netscaler appliances https://www.greynoise.io/blog/exploitation-citrixbleed-2-cve-2025-5777-before-public-poc
Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public
GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept was released on July 4.
I’m fairly certain the threat actor is Chinese and they reversed the patch to make the exploit.
Citrix continue to be MIA. They still have no detection guidance for customers, and haven’t told customers the extent of the issue.
With the #CitrixBleed2 patch data I publish it's possible to view the history on Github for each new scan and see when hosts change from vuln to patched.
It's proving incredibly effective at getting orgs to patch. I tried private notifications via HackerOne and such for CitixBleed1 in 2023 and it took months to get orgs to patch. Putting the data public brings accountability for orgs who later get breached - so there's a rush to patch.
It's definitely interesting and may need a scale out.
Citrix have a blog out about hunting for #CitrixBleed2
It's what was in my earlier blog - look for invalid characters in the username field and duplicate sessions with different IPs
This bit is still incomplete in the patching instructions btw - if it's a HA pair you need to additionally reset other session types or you're still vulnerable to session hijack after patching.
I'm still trying to get Citrix to update the instructions.
The Dutch Public Prosecution Office have shut down their Citrix Netscaler and removed all internet access, Dutch media speculating CitrixBleed 2 exploitation.
Justice minister David van Weel told MPs in a briefing that it appears the weakness had been used by third parties to access the department systems.
The justice ministry said the department had applied Citrix’s recommended patches, but these failed to fully eliminate the flaw. https://www.dutchnews.nl/2025/07/prosecution-department-goes-offline-due-to-software-weakness/
Again to reiterate the point in the thread - Citrix’s patching instructions don’t include - for example - resetting AAA sessions when AAA cookies are stealable with the vulnerability. So we’re going to see orgs caught with Citrix’s pants down.
fuzzyfuzzyfungus@GossiTheDog It's obviously not ideal; but I do like seeing organizational willingness to just pull out the shears and apply them to the uptime wires if that is potentially what it takes; rather than insisting that access must remain even if some of it is pretty definitely not ours.
Joshua Small@GossiTheDog Interesting, the IOCs from support were totally different (look for .php files in the web root).
Vickie Gray 🍁@GossiTheDog Definitely. Refreshing transparency.
JP@GossiTheDog providing the data to cyber insurers to wash against their customer base.
Dick Telder@GossiTheDog
Not sure how often the list is updated, but the orgs I emailed 24h ago are still listed as vulnerable.
Not sure how often the list is updated, but the orgs I emailed 24h ago are still listed as vulnerable.
leakix@GossiTheDog 😇 sure does work. Any take-down requests yet ? 🤔
CyberFrog@GossiTheDog another day, another example of full disclosure working better than the alternatives lol
@GossiTheDog are you using the PoC exploit to determine if systems are vulnerable or basing it off timestamps to infer build numbers instead?
Alex@OracleOfApollo @GossiTheDog probably checking the version or something. I don't see fingerprinting being that difficult and exploit even defanged might be problematic in the legal sense.
Alan Miller 
🇺🇦@GossiTheDog this is probably a silly question, but are you scanning netblocks most likely to have affected devices first? Eg I'm guessing not a lot likely in AWS, GCP, Azure, China, residential, etc address spaces.
David Penington@GossiTheDog "it looks like a lot of orgs are patching from my list" eek! Organisations hane so little knowledge of what they have that it takes you to tell them?
Christoffer S.@GossiTheDog Perhaps time to refer to it using the more appropriately descriptive word... Wild.
This vulnerability is WILDLY EXPLOITED.
As a bonus "exploited in the wild" can be changed to "wild exploitation observed".
Suzanne Aldrich (she/her)@GossiTheDog Shitrix, amirite?
I’ve been referencing network security device vulnerabilities as the #1 identified breach vector in my latest talk. Guess I need to update my greatest hits already.
FutureCon Seattle 2025 Presentation Slides - You Had One Job
In 2024, attackers didn’t need phishing emails to compromise enterprises — they just waited for the latest zero-day in your firewall to be weaponized. Mandiant’s M-Trends 2025 report reveals that most intrusions now start with exploited vulnerabilities in edge security devices. Meanwhile, credentials are stolen by malware faster than MFA can save you, and security vendors themselves are being turned into initial access brokers — unintentionally. This talk is a call to get back to basics. We’ll walk through the top 10 ways organizations are still failing at foundational security, and provide a clear, no-nonsense roadmap for how to fix it. Aligned to NIST, PCI DSS, and C2M2 frameworks, this approach avoids complexity, avoids buzzwords, and avoids blaming users. You don’t need another vendor — you need to configure what you already have properly, document it, and follow through. Because at the end of the day, no one wants to explain to leadership how your “security box” was the reason you got owned. - Download as a PDF or view online for free
Jacob Pedersen@GossiTheDog Ohh boy... 
@GossiTheDog "The only major vendor I’ve seen who hasn’t added a WAF rule is Citrix - they sell a WAF upsell module for Netscaler, but failed to add detection for their own vulnerability." WHAAAAAAAA
M Schommer@GossiTheDog
So… could there possibly exist another Citrix 0day that this script looks for?
Right script, different CVE? :D
So… could there possibly exist another Citrix 0day that this script looks for?
Right script, different CVE? :D
gmmds@musevg @GossiTheDog Well we haven’t seen anything yet about 2025-6543… and that was supposed to be the scary one!
Chad Brigance@GossiTheDog this one is for CVE-2025-6543
Darses@GossiTheDog Looks like the two-digit billion dollar corp that closed my report as "informative, we don't see the issue here" still hasn't updated yet.
@GossiTheDog is this scan still running or has it now completed?
João Tiago Rebelo (NAFO J-121)
Aristotelis Tzafalias
Multi :companion_cube:
Worik
SensibleOtter
Maarten W
Koos van den Hout
The Shadowserver Foundation
N Walker
jb
nemo™ 🇺🇦
meriksson
Alex Hoffmann
NosirrahSec 🏴☠️ guillotine enthusiast
Alex Savage
vampirdaddy