An update on CVE-2025-5777, explaining why orgs should identify systems and patch.

https://doublepulsar.com/citrixbleed-2-electric-boogaloo-cve-2025-5777-c7f5e349d206

Citrix on this one:

"At this time, there have been no reports or indications that the vulnerabilities described in CTX693420 (CVE-2025-5349 and CVE-2025-5777) are being actively exploited in the wild. However, due to the critical severity of these issues (CVSS scores of 8.7 and 9.3), We strongly recommends that affected customers apply the updated patches immediately to mitigate any potential risks."

NHS Digital's cyber alert database has been updated too. https://digital.nhs.uk/cyber-alerts/2025/cc-4670

I highly recommend bookmarking this site for the alerts, they're really good at filtering noise:

https://digital.nhs.uk/cyber-alerts

E.g. if you select 'high' category, there's only one a month on average

If you see this GitHub PoC for CVE-2025-5777 doing the rounds:

https://github.com/mingshenhk/CitrixBleed-2-CVE-2025-5777-PoC-

It’s not for CVE-2025-5777. It’s AI generated. The links in the README still have ChatGPT UTM sources.

The PoC itself is for a vuln addressed in 2023 - ChatGPT has hallucinated (made up) the cause of the vuln using an old BishopFox write up of the other vuln.

I’ve heard that Citrix are complaining me billing this CitrixBleed 2 is causing them reputational damage, and isn’t related in any way to CitrixBleed.

For the record - it was a dumb joke name to attraction attention for patching. I know it isn’t exactly the same cause.

But, ya know, it is a memory disclosure vuln which reveals sensitive info, and it does require ICA sessions be reset.. which only happened before with CitrixBleed.

I've published my scan in progress of CVE-2025-5777 patching status, listing IPs, hostnames, Citrix Netscaler build numbers and if they're vulnerable to CitrixBleed2.

The scan isn't finished yet so these are only about a quarter of the results - unfortunately my coding skills are shite and it's really slow - should be finished over weekend or early next week.

Also, the SSL certificate hostnames are separated by comma which throws out CSV - sorry, I'll fix that later.

https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt

If anybody is wondering btw it's 4047 definitely vulnerable (so far) from 17021 scanned instances - so 24% unpatched after about 3 weeks.

But scan is still running obvs so the vuln number will keep growing.

If anybody likes stats

- Of the 42 identified NHS Netscalers so far, 37 are patched🥳 The NHS are really good at this nowadays.

- Of the 65 identified .gov.uk Netscalers so far, only 48 are patched 😅 All of the unpatched are councils, which are obviously severely budget constrained in many cases - I'm also not sure they actually know they're supposed to be patching.

First exploitation details for CVE-2025-5777 - the Netscaler vuln - are out. https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/

If you call the login page, it leaks memory in the response 🤣

I don’t want to specify too much extra technical info on this yet - but if you keep leaking the memory via requests, there’s a way to reestablish existing ICA sessions from the leaked memory.

Updated scan results for CVE-2025-5777: https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt

It's still partial due to bugs, but about 18k servers.

CVE-2025-5777 (Citrix Netscaler vuln) has been under active exploitation since mid June, with people dumping memory and using this to try to access sessions.

TTPs to hunt for:

- In Netscaler logs, repeated POST requests to *doAuthentication* - each one yields 126 bytes of RAM

- In Netscaler logs, requests to doAuthentication.do with "Content-Length: 5"

- In Netscaler user logs, lines with *LOGOFF* and user = "*#*" (i.e. # symbol in the username). RAM is played into the wrong field.

Horizon3 have a good write up here, I don't think they were aware this is already being exploited for almost a month: https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/

Worth noting I was only able to find exploitation activity due to the WatchTowr and Horizon3 write ups - Citrix support wouldn't disclose any IOCs and incorrectly claimed (again - happened with CitrixBleed) that no exploitation in the wild. Citrix have gotta get better at this, they're harming customers.

Just to be super clear, although Citrix claim that CitrixBleed 2 is in no way related to CitrixBleed, it allows direct session token theft - Citrix are wrong. Horizon3 have the POC and it's already being exploited - Citrix were also wrong.

"Not the most novel thing in the world… but this is much much worse than it initially appears. Take a look at the following video where you’ll see that it’s possible to receive legitimate user session tokens via this vector. "

Exploitation IOCs for CVE-2025-5777 aka CitrixBleed 2, these are actively stealing sessions to bypass MFA for almost a month. Some are also doing Netscaler fingerprint scanning first.

64.176.50.109
139.162.47.194
38.154.237.100
38.180.148.215
102.129.235.108
121.237.80.241
45.135.232.2

HT @ntkramer and the folks at @greynoise

Look for lots of connections to your Netscaler devices over past 30 days. More IPs coming as also under mass exploitation. More IPs: https://viz.greynoise.io/tags/citrixbleed-2-cve-2025-5777-attempt?days=30

I wrote up a thing on how to hunt for CitrixBleed 2 exploitation

https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71

“Citrix declined to say if it's aware of active exploitation”

It is aware. https://arstechnica.com/security/2025/07/critical-citrixbleed-2-vulnerability-has-been-under-active-exploit-for-weeks/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

I believe Citrix may have made a mistake in the patching instructions for CitrixBleed2 aka CVE-2025-5777.

They say to do the instructions on the left, but they appear to have missed other session types (e.g. AAA) which have session cookies that can be stolen and replayed with CitrixBleed2. On the right is the CitrixBleed1 instructions.

The net impact is, if you patched but a threat actor already took system memory, they can still reuse prior sessions.

Tell anybody you know at Citrix.

CVE-2025-5777 aka CitrixBleed 2 has been added to CISA KEV now over evidence of active exploitation.

Citrix are still declining to comment about evidence of exploitation as of writing.

https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-adds-one-known-exploited-vulnerability-catalog

This is how Citrix are styling Citrix Bleed 2 btw. In the blog there’s no technical details or detection details or acknowledgement of exploitation. They also directly blame NIST for their CVE description.

From Netflow I can see active victims - including systems owned by the US federal government - so strap in to see where this goes.

Some CitrixBleed2 IOCs; this is a cluster of what appears to be China going brrr, going on for weeks.

38.154.237.100
38.54.59.96

#threatintel