The US Cybersecurity and Infrastructure Security Agency has added its weighty name to the list of parties agreeing that CVE-2025-5777, dubbed CitrixBleed 2 by one researcher, has been under exploitation and abused to hijack user sessions.
On Thursday, CISA added the critical security flaw to its catalog of Known Exploited Vulnerabilities. The agency cited “evidence of active exploitation” in its alert.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned.
The bug, a 9.3 CVSS-rated security flaw that allows remote, unauthenticated attackers to read sensitive info — such as session tokens — in memory from NetScaler devices configured as a gateway (such as a VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server, looked bad from the start.
Citrix disclosed and issued a fix for CVE-2025-5777 back on June 17. Shortly thereafter, bug hunters started sounding the alarm on how bad things could get if customers didn’t patch immediately.
Security maven Kevin Beaumont dubbed the new vulnerability “CitrixBleed 2” because it closely resembled an earlier critical hole in the same NetScale products, CVE-2023-4966, that allowed attackers to access a device’s memory, find session tokens, and then use those to impersonate an authenticated user while bypassing multi-factor authentication.
By early July, researchers had published at least two working exploits that showed how to abuse CVE-2025-5777 to bypass multi-factor authentication (MFA), hijack user sessions, and access critical systems.
But still no word from the vendor.
Earlier this week, Beaumont said CitrixBleed 2 has been under active exploit for at least a month, citing Greynoise’s honeypot telemetry showing attempts dating back to June 23.
On June 26, however, NetScaler senior VP Anil Shetty assured customers, “There is no evidence to suggest exploitation of CVE-2025-5777.”
Earlier today, Akamai Security Intelligence Group noted a “drastic increase of vulnerability scanner traffic and additional threat actors searching for vulnerable targets” since exploit details for CVE-2025-5777 became public.
Additionally, because the vulnerability targets a specific URL path and requires no authentication or prior conditions to be met, it’s very easy for attackers to exploit, the threat hunters added.
“This flaw can have dire consequences, considering that the affected devices can be configured as VPNs, proxies, or AAA virtual servers,” the Akamai team warned. “Session tokens and other sensitive data can be exposed — potentially enabling unauthorized access to internal applications, VPNs, data center networks, and internal networks.”
The scope of victims still remains unknown. And Citrix isn’t talking. The Register again asked Citrix about in-the-wild exploits, and again did not receive any response from the vendor. ®
