- Citrixbleed 2 was discovered at the end of June 2025
- Most cases are not yet patched
- Security researchers warn that the error is probably already exploited
Citrixbleed 2, a vulnerability in Citrix Netscaler ADC and Netscaler Gateway, is now actively exploited in nature, several researchers have warned.
Security researchers recently found a vulnerability in critical difficulty in these cases, which could allow threat actors to hijack user sessions and access targeted environments.
The error, described as an insufficient input validation vulnerability leading to reader memory, is traced as CVE-2025-5777 and affects unit versions 14.1 and before 47.46 and from 13.1 and before 59.19. Given its resemblance to a previous Citrix vulnerability called Citrixbleed, security researchers called it Citrixbleed 2.
(No) Proof of abuse
A patch was made available shortly after, but apparently the majority of cases have not yet been patched and threat actors benefit from this fact. Several security researchers, including Reliaquest, Watchtowr and Horizon3.ai, have warned users of ongoing exploitation campaigns.
Registered Notes Watchtowr Labs found a, “significant part of the Citrix Netscaler user base” had not yet patched against Citrixbleed 2, which urged everyone to do so as the error is “trivial” to exploit.
“In the past, we said we didn’t intend to release this vulnerability analysis,” the researchers said. However, “minimal” information that shares the error “these users puts into a tough position when deciding whether they need to sound an internal alarm.”
Shortly after, Horizon3.Ai said “Currently threat actors are likely to be in their tool set as well.”
At the same time, Citrix gives mixed signals whether the errors are actually utilized in nature. The company redirects all media queries to a blog post discussing the case where it says “Currently there is no evidence of proposing the utilization of CVE-2025-5777.”
In frequently asked questions about the same blog post, it also said “Instant installation of the recommended updates is critically important because of the identified severity of this vulnerability and evidence of active exploitation.” It is left somewhat guard if this answer relates to Citrixbleed 2 or another vulnerability.
Finally, elsewhere in FAQ it says “We are currently not aware of proof of utilization of CVE-2025-5349 or CVE-2025-5777.”
We would advise everyone to patch up, just to be on the safe side, especially as Citrixbleed was abused by nation states in heavily targeted attacks.
