- Citrix disclosed patching a critical-severity bug in Citrix NetScaler ADC and Gateway instances
- Independent researchers dub it “CitrixBleed 2” due to its similiarities to the 2023 flaw
- Users are advised to patch up ASAP
Hackers are actively exploiting a critical-severity vulnerability in Citrix NetScaler ADC and Gateway instances to hijack user sessions and gain access to targeted environments, the company has revealed.
The bug is described as an insufficient input validation vulnerability that leads to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. It is tracked as CVE-2025-5777, and was given a severity score of 9.3/10 – critical.
The flaw affects Citrix NetScaler ADC and Gateway device versions 14.1 and before 47.46, and from 13.1 and before 59.19.
CitrixBleed 2
According to security researchers ReliaQuest, the vulnerability is already being abused in the wild to grant attackers initial access.
“Unlike session cookies, which are often tied to short-lived browser sessions, session tokens are typically used in broader authentication frameworks, such as API calls or persistent application sessions,” the researchers explained.
As well as publicly disclosing the vulnerability, Citrix is also offering a fix, and urging users to apply it as soon as possible.
At the same time, independent analyst Kevin Beaumont says the bug bears a resemblance to CitrixBleed, one of the most serious Citrix vulnerabilities discovered in recent years.
It was also a critical-severity flaw that was widely exploited in late 2023, when different threat actors targeted government agencies, banks, healthcare providers. Among the abusers was LockBit, one of the most dangerous ransomware operators in existence.
Due to the similarities, Beaumont dubbed the flaw “CitrixBleed 2”.
At roughly the same time, Citrix disclosed addressing two additional flaws: a high-severity access control issue, and a memory overflow vulnerability.
The former has a severity score of 8.7, and impacts versions from 14.1 and before 43.56 and from 13.1 and before 58.32. The latter, with a 9.2 severity score, is tracked as CVE-2025-6543, and leads to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as a Gateway.
