- Citrixbleed 2 was discovered in mid -June 2025
- But there were rapid reports of abuse in nature
- CISA is now calling on FCEB agents to immediately patch
The US Cyber Security and Infrastructure Security Agency (CISA) has added Citrixbleed 2 to its known utilized vulnerabilities (KEV) catalog warning of federal civilian branch agents (FCEB), as well as other companies, that the error is actively exploited in nature.
On July 10, CISA CVE-2025-5777 added to the catalog — a critical severity (9.3/10) Insufficient input validation vulnerability leading to readered memory. It affects Citrix Netscaler ADC and Netscaler Gateway devices, versions 14.1 and before 47.46 and from 13.1 and before 59.19.
It can be abused against vulnerable Netscaler ADC and Netscaler Gateway appliances to extract sensitive memory content, including session tokens, credentials and potentially other user data, without approval. Given its resemblance to a previous Citrix vulnerability called Citrixbleed, security researchers called it Citrixbleed 2.
“Significant risk”
The error was first discovered in mid -June 2025, and in early July there were already reports of abuse in nature.
Citrix released a patch, but apparently the majority of cases have not yet been patched, which has presented a unique opportunity for cyber criminals.
Several security researchers, including Reliaquest, Watchtowr and Horizon3.ai, have warned users of ongoing exploitation campaigns. Akamai also added that it observed a “drastic increase” in scanning after potentially vulnerable netscaler points.
Now CISA also confirmed the reports of attacks on the wild ones.
“These types of vulnerabilities are frequent attack vectors for malicious cyclists and pose significant risks to the federal business,” said in a short security advice.
What is also interesting is the tight deadline it gave FCEB agencies to patch their final points. Usually, agencies have 21 days to apply patch or stop using the affected software completely. In this case, the deadline was – only 24 hours.
Citrix has not yet unequivocally stated that the errors were exploited. However, it urged everyone to use the patch without delay.
Via Techcrunch
