Citrix is back in the headlines for all the wrong reasons. A new memory disclosure vulnerability (CVE-2025-5777) has been discovered in NetScaler ADC and Gateway – and attackers are already exploiting it as early as mid-June 2025 according to researchers.
This critical vulnerability is due to memory leak flaw in Citrix NetScaler systems has become the digital equivalent of an open vault door for cybercriminals.
In recent weeks, security teams have observed exploitation attributed to CitrixBleed 2 to business networks. While it's unclear whether all attacks have progressed to ransomware deployment, the signs of compromise are unmistakable.
Despite the technical name, CitrixBleed 2 is no theoretical threat. It's a shockingly simple vulnerability that allows attackers to steal active session tokens and credentials with a single malformed HTTP post request triggers the memory over read which can disclose sensitive sessions / admin tokens to access your business network.
CISA have also added this vulnerability to the exploited vulnerability list on July 10th with US federal agencys required to patch within 24 hours a faster timeframe than usual.
The vulnerability is very similar to the original CitrixBleed vulnerability where Solace responded to multiple incidents that led to ransomware.
If your organisation uses Citrix for remote access, you need to act now. As this requires minimal effort and is pre-authentication that requires no login credentials by the threat actor. As before it is likely that ransomware groups will exploit this over the coming weeks.
How the Attack Works
Several compromises are being reported from this vulnerability and the exploit of it. This is how the threat actors are doing so.
Scanning for Targets
Attackers are probing the internet for vulnerable NetScaler instances with HTTP/2 enabled (which it is by default).Triggering the Memory Leak
A specially crafted HTTP post request forces the server to spill its memory contents:Stealing the Keys to Your Network
The leaked memory often contains:Active session tokens (letting attackers bypass login)
Admin credentials (for privileged access)
Private keys (enabling man-in-the-middle attacks)
How Should You Act?
Patch Immediately
Citrix has released fixed versions. This is critical.
Affected versions by the vulnerability:NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS
Force logout of all sessions
Run the following commands after patching:kill icaconnection -all
kill pcoipConnection -all
Assume You’ve Been Breached
Reset all passwords stored on the NetScale
Monitor with EDR
Check for unusual admin activity and unusual HTTP events within NetScaler logs.
Monitor for data exfiltration attempts
Don’t Be the Next Victim
This vulnerability is particularly dangerous because:
No authentication is required – threat actors don’t need a username or password
Exploits are already in the wild – ransomware groups are likely actively targeting organisations
Default configurations are vulnerable – if you haven’t hardened your setup, you’re at risk
Patch now, monitor closely, and prepare your incident response team. CitrixBleed 2 is a live threat that demands immediate action.
Need help securing your NetScaler environment or suffered an attack? Contact the Solace Cyber DFIR team for urgent support.
