The global cybersecurity community faces another major threat in the form of CitrixBleed 2 (CVE-2025-5777), an out-of-bounds memory read vulnerability impacting Citrix NetScaler ADC and Gateway appliances.
Resembling the infamous CitrixBleed (CVE-2023-4966) that previously wreaked havoc across enterprise networks, this flaw enables unauthenticated attackers to obtain sensitive memory content ranging from active session cookies and authentication tokens to plaintext credentials thereby bypassing multi-factor authentication (MFA) protections and potentially hijacking administrative access.
Critical Citrix Vulnerability Actively Exploited
The vulnerability, stemming from improper input validation and uninitialized memory (CWE-457), can be triggered by a single malformed HTTP POST request to the vulnerable /p/u/doAuthentication.do endpoint, making exploitation low in complexity but high in impact.
Splunk’s Threat Research Team has underscored the urgency following confirmation of active CitrixBleed 2 exploitation, as highlighted by ReliaQuest and CISA’s addition of this CVE to their Known Exploited Vulnerabilities catalog on July 10, 2025.
Attackers have been observed leveraging the flaw to perform session hijacking and MFA bypass. Notably, early exploitation was detected before public technical details were available, exhibiting the rapid weaponization trajectory typical of critical infrastructure vulnerabilities.
Censys has identified nearly 70,000 NetScaler instances exposed online, though the actual count of unpatched, at-risk appliances remains undetermined, signaling a vast attack surface.
Technical Recommendations
Given the criticality of this vulnerability, Splunk highlights that the first and most important step for defenders is to patch all impacted NetScaler ADC and Gateway instances to the versions specified by Citrix without delay.
However, patching alone may not suffice, since session tokens stolen prior to mitigation will remain valid.
Organizations are urged to terminate all active sessions and audit for suspicious usage such as session reuse from geographically disparate IP addresses or for the presence of administrative tokens in unexpected contexts.
Detection strategies hinge heavily on robust logging and analytics. Splunk recommends ingesting NetScaler logs via their official Technical Add-on, enabling deep analysis of authentication and session events.
Detections should focus on identifying POST requests with malformed login parameters targeting the /p/u/doAuthentication.do endpoint, which can indicate exploit attempts.
Additional analytic coverage should monitor for abnormal authentication volumes from single sources, suspicious session reuse patterns that signal hijacking, and, most definitively, response payloads containing uninitialized memory returned in <InitialValue> tags often identified by the presence of binary or non-printable characters intermixed with readable session and credential data.
Effective detection of these conditions in logs requires the activation of higher-level debug and authentication logging within NetScaler, as detailed by Splunk, as these are not always enabled by default.
For network-layer detection, updated Snort signatures (such as SID: 65120) provide another means of flagging suspicious POST patterns characteristic of CitrixBleed 2 exploitation attempts targeting vulnerable endpoints.
Integrating such rules into network security stacks can offer an additional layer of preventive defense.
According to the Report, The CitrixBleed 2 incident reinforces lessons first learned in 2023: vulnerabilities in authentication gateways are rapidly exploited, session management and post-patch invalidation are crucial, and the risks of supply chain compromise remain very real.
Security teams must not only patch and monitor aggressively but also ensure all exposed tokens are invalidated and conduct a thorough investigation for any indicators of compromise, such as unexpected user accounts, unauthorized configuration changes, or evidence of lateral movement.
With CISA cataloging CitrixBleed 2 as actively exploited and the window between disclosure and attack measured in mere days, swift, coordinated, and comprehensive response is now essential for all organizations relying on Citrix NetScaler technologies.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
, an out-of-bounds memory read vulnerability.){kind=link}