Critical CitrixBleed 2 Vulnerability Under Active Exploitation for Weeks

Recent investigations reveal that the vulnerability CVE-2025-5777, dubbed CitrixBleed 2, has been actively exploited for several weeks. This flaw affects Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway, enabling hackers to bypass two-factor authentication. The attack method involves leaking small portions of memory content, which can be pieced together to uncover sensitive credentials.

Originally disclosed with a high severity rating of 9.8, the newer version, CitrixBleed 2, received a slightly lower severity score of 9.2. Citrix issued a security patch for this vulnerability on June 17 but claimed nine days later that there was no evidence of active exploitation. However, security researchers and monitoring tools have since found concrete evidence of ongoing attacks.

Monitoring logs from honeypot systems indicate that the exploitation started as early as June 23, predating Citrix’s public acknowledgment. Despite this, Citrix did not update the public or their clients about the ongoing threat, leading to criticism from cybersecurity experts.

The impact of these exploits is significant, given that they have compromised prominent organizations—including Boeing, DP World, and the Commercial Bank of China—alongside a breach of the Comcast network affecting millions of Xfinity users. These actions demonstrate the severity and the ongoing danger posed by this vulnerability.

Arstechnica