‘CitrixBleed 2’ Shows Signs of Active Exploitation

![Picture of Kristina Beek, Associate Editor, Dark Reading](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2248772495e9caeb/64f17d73018a7c55e8822fc1/KristinaB.jpg?width=100&auto=webp&quality=80&disable=upscale ‘Picture of Kristina Beek, Associate Editor, Dark Reading’) [Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek)June 27, 2025 2 Min Read ![Citrix Systems logo is seen in the background of a silhouetted woman holding a mobile phone](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltaecc0809fde4a627/685ece346d6e292637c311af/Citrix1800_SOPA_Images_Limited_alamy.jpg?width=1280&auto=webp&quality=80&format=jpg&disable=upscale ‘Citrix Systems logo is seen in the background of a silhouetted woman holding a mobile phone’) Source: SOPA Images Limited via Alamy Stock Photo [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/vulnerabilities-threats/citrixbleed-2-active-exploitation)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/vulnerabilities-threats/citrixbleed-2-active-exploitation)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/vulnerabilities-threats/citrixbleed-2-active-exploitation)[](https://www.reddit.com/submit?url=https://www.darkreading.com/vulnerabilities-threats/citrixbleed-2-active-exploitation&title=’CitrixBleed%202’%20Shows%20Signs%20of%20Active%20Exploitation)[](mailto:?subject=’CitrixBleed 2′ Shows Signs of Active Exploitation&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20’CitrixBleed%202’%20Shows%20Signs%20of%20Active%20Exploitation%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fvulnerabilities-threats%2Fcitrixbleed-2-active-exploitation) NEWS BRIEFA critical vulnerability found in NetScaler ADC and Gateway, tracked as CVE-2025-5777, is now potentially being exploited in the wild.The [vulnerability is being dubbed ‘CitrixBleed 2’](https://www.darkreading.com/vulnerabilities-threats/citrix-patches-vulns-netscaler-adc-gateway) by security researcher Kevin Beaumont because of the similarities it shares to the [original CitrixBleed](https://www.darkreading.com/cyber-risk/citrix-addresses-high-severity-flaw-in-netscaler-adc-and-gateway), tracked as CVE-2023-4966.CitrixBleed 2 was assigned a critical CVSS score of 9.3 and is described as an out-of-bounds read flaw due to insufficient input validation. Just like the original CitrixBleed, it could potentially allow unauthorized attackers to steal valid session tokens from the memory of Internet-facing NetScaler devices. ‘While no public reporting of exploitation for this vulnerability has emerged, ReliaQuest has observed indications of exploitation to gain initial access,’ ReliaQuest researchers wrote in a [blog post](https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/), adding that they assess with medium confidence that attackers are actively exploiting the vulnerability to gain access to targeted environments.According to ReliaQuest researchers, indicators they have observed that suggest the exploitation of the vulnerability include: 1. Hijacked Citrix Web session from the NetScaler device in which authentication was granted without user knowledge2. Session reuse across multiple IPs3. Citrix sessions from data center-hosting IP addresses, which indicate the use of consumer VPN services4. LDAP queries indicating Active Directory (AD) reconnaissance activities5. Instances of the ‘ADExplorer64.exe’ tool in the environment, which analyzes AD environments and can be abused by threat actors ‘Citrix Bleed 2 mirrors the original in its ability to bypass authentication and facilitate session hijacking, but it introduces new risks by targeting session tokens instead of session cookies,’ noted the researchers. ‘Unlike session cookies, which are often tied to short-lived browser sessions, session tokens are typically used in broader authentication frameworks, such as API calls or persistent application sessions.’ Loading…==========This means that attackers would have the ability to potentially maintain access for longer periods and operate across multiple systems while remaining undetected, even after the user has ended the browser session.To prevent exploitation, Citrix recommended that users install versions NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases, NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1, NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235, and later releases of 13.1-FIPS and 13.1-NDcPP. Read more about:[News Briefs](/keyword/news-briefs) [](https://www.linkedin.com/sharing/share-offsite/?url=https://www.darkreading.com/vulnerabilities-threats/citrixbleed-2-active-exploitation)[](http://www.facebook.com/sharer/sharer.php?u=https://www.darkreading.com/vulnerabilities-threats/citrixbleed-2-active-exploitation)[](http://www.twitter.com/intent/tweet?url=https://www.darkreading.com/vulnerabilities-threats/citrixbleed-2-active-exploitation)[](https://www.reddit.com/submit?url=https://www.darkreading.com/vulnerabilities-threats/citrixbleed-2-active-exploitation&title=’CitrixBleed%202’%20Shows%20Signs%20of%20Active%20Exploitation)[](mailto:?subject=’CitrixBleed 2′ Shows Signs of Active Exploitation&body=I%20thought%20the%20following%20from%20Dark%20Reading%20might%20interest%20you.%0D%0A%0D%0A%20’CitrixBleed%202’%20Shows%20Signs%20of%20Active%20Exploitation%0D%0Ahttps%3A%2F%2Fwww.darkreading.com%2Fvulnerabilities-threats%2Fcitrixbleed-2-active-exploitation) About the Author—————-![Kristina Beek, Associate Editor, Dark Reading](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2248772495e9caeb/64f17d73018a7c55e8822fc1/KristinaB.jpg?width=400&auto=webp&quality=80&disable=upscale ‘Kristina Beek, Associate Editor, Dark Reading’) [Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek)
Skilled writer and editor covering cybersecurity for Dark Reading. [See more from Kristina Beek, Associate Editor, Dark Reading](/author/kristinabeek) Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. [Subscribe](https://dr-resources.darkreading.com/free/w_defa3135/prgm.cgi?a=1) More Insights Webinars* [New Research: Machine Learning Classifiers Don’t Need Negative Labels](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_defa8737&ch=SBX&cid=_upcoming_webinars_8.500001573&_mc=_upcoming_webinars_8.500001573)Jul 16, 2025* [Think Like a Cybercriminal to Stop the Next Potential Attack](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_cmdc03&ch=SBX&cid=_upcoming_webinars_8.500001572&_mc=_upcoming_webinars_8.500001572)Jul 22, 2025* [Elevating Database Security: Harnessing Data Threat Analytics and Security Posture](https://dr-resources.darkreading.com/c/pubRD.mpl?secure=1&sr=pp&_t=pp:&qf=w_rubr156&ch=SBX&cid=_upcoming_webinars_8.500001574&_mc=_upcoming_webinars_8.500001574)Jul 23, 2025* [The DOGE-effect on Cyber: What’s happened and what’s next?](https://www.brighttalk.com/webcast/18975/628444?utm_source=brighttalk-darkreading&utm_medium=web&utm_campaign=curation04242025&cid=_upcoming_webinars_8.500001554&_mc=_upcoming_webinars_8.500001554)Jul 24, 2025[More Webinars](/resources?types=Webinar) Events* [-[Virtual Event-] Strategic Security for the Modern Enterprise](https://ve.informaengage.com/virtual-events/strategic-security-for-the-modern-enterprise/?ch=sbx&cid=_session_16.500334&_mc=_session_16.500334)Jun 26, 2025* [-[Virtual Event-] Anatomy of a Data Breach](https://ve.informaengage.com/virtual-events/an-anatomy-of-a-data-breach-and-what-to-do-if-it-happens-to-you/?ch=sbx&cid=_session_16.500333&_mc=_session_16.500333)Jun 18, 2025* [-[Conference-] Black Hat USA – August 2-7 – Learn More](https://www.blackhat.com/us-25/?_mc=we_bhas25_drcuration&cid=_session_16.500330)Aug 2, 2025[More Events](/events) You May Also Like*** ** * ** ***[Vulnerabilities -& ThreatsToddyCat APT Targets ESET Bug to Load Silent Malware](https://www.darkreading.com/vulnerabilities-threats/toddycat-apt-eset-bug-silent-malware) [Vulnerabilities -& ThreatsMicrosoft Sounds Warning on Multifunctional ‘StilachiRAT’](https://www.darkreading.com/vulnerabilities-threats/microsoft-sounds-warning-on-multifunctional-stilachirat) [Vulnerabilities -& ThreatsApache Tomcat RCE Vulnerability Under Fire With 2-Step Exploit](https://www.darkreading.com/vulnerabilities-threats/apache-tomcat-rce-vulnerability-exploit) [Vulnerabilities -& ThreatsTop 10 Most Probable Ways a Company Can Be Hacked](https://www.darkreading.com/vulnerabilities-threats/top-10-most-probable-ways-company-can-be-hacked)

Related Tags:
Topic: Vulnerability

ToddyCat

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 334 – Computer And Electronic Product Manufacturing

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 33 – Manufacturing – Metal

Electronics And Other

NAICS: 51 – Information

CVE-2023-4966

Associated Indicators:

Threat Intel Solutions

‘CitrixBleed 2’ Shows Signs of Active Exploitation

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us