Risk Advisory: CitrixBleed 2 (CVE-2025-5777)

Risk Advisory

Tuesday, 8 July, 2025

CitrixBleed 2

Cydea’s risk advisories support senior management in their understanding of current events and the cyber risk posed to their organisations.

Organisations using Citrix NetScaler ADC or Gateway should patch urgently and terminate active sessions immediately to mitigate exploitation of CVE-2025-5777.

What has happened / is the context / is the problem?

Citrix has disclosed a new critical vulnerability, CVE-2025-5777, now known as CitrixBleed 2, which affects NetScaler ADC and Gateway when configured as a VPN, ICA Proxy, CVPN, RDP Proxy, or AAA virtual server.

Multiple proofs-of-concept are already public, and active exploitation has been observed in the wild.

What is the risk?

Unauthenticated attackers can remotely steal active session tokens. Once acquired, these tokens can be used to hijack sessions, bypass multi-factor authentication (MFA), and access internal resources.

Source:

Criminal actors (opportunistic and targeted)

Risk events:

System Intrusion (Software exploit)
Information Breach (Unauthorised access to information)
Privilege Misuse (Session hijacking)

Consequences:

Compliance (Breach of personal or regulated data)
Financial (Incident response and remediation costs)
Strategic (Reputational impact if customer data is accessed)

What factors drive the consequences?

Session tokens are often highly privileged (e.g., administrator or SSO access)
Citrix is widely used to provide external access to internal systems
Once a session is hijacked, further authentication is often not required
Difficulty detecting token theft or misuse from logs

What factors drive the frequency?

Public exploit code is widely available
Over 18,000 Citrix appliances are exposed to the internet
Many organisations are slow to invalidate existing sessions post-patch
Exploitation is trivial and requires no authentication

How may it evolve?

Exploitation of CVE-2025-5777 is expected to escalate, particularly by groups seeking initial access to corporate environments. Given similarities to CitrixBleed (CVE-2023-4966), it may be used in ransomware campaigns or APT operations.

Source:

Criminal

Risk events:

System Intrusion (Software exploit)
Malware (Ransomware)
Information Breach (Unauthorised access to information)

Consequences:

Operations (Business disruption)
Compliance (Regulatory breach notification)
Financial (Unplanned response and legal costs)
Strategic (Loss of trust)

What action is required?

Patch all affected NetScaler ADC and Gateway appliances immediately.
Terminate all active sessions post-patch, as stolen tokens remain valid until sessions are ended.
Review Citrix logs for signs of exploitation, including POSTs with Content-Length: 5, or unusual reuse of session tokens across IPs.
Rotate credentials and session secrets, especially for accounts used via Citrix access.
Harden remote access controls, shorten session lifetimes, and monitor for anomalies in token/session behavior.

For further information or assistance in understanding or measuring this risk to your organisation, please contact us for a session with one of our cyber risk consultants.

Cydea uses the Open Information Security Risk Universe (OISRU) as a framework and taxonomy for describing information security risks independently of models or methods of analysing risks. Find out more about our contribution to the project on our cydea.tools site.