Over 2,100 susceptible Citrix NetScaler servers stay uncovered to lively exploitation, regardless of patches being out there for vital vulnerabilities that permit attackers to bypass authentication mechanisms and steal session tokens.
Cybersecurity agency ReliaQuest has issued warnings about lively exploitation of two vital vulnerabilities affecting Citrix NetScaler ADC and NetScaler Gateway programs. The vulnerabilities, tracked as CVE-2025-5777 and CVE-2025-6543, have been below assault since mid-June 2025, with scanning actions detected as early as June 19.
As of June 29, 2025, safety scans from The Shadowserver recognized roughly 1,289 and a couple of,100 unpatched IP addresses, with the very best concentrations in the US and Germany. This represents important safety publicity given the vital nature of those flaws.
Citrix Bleed 2: A Harmful Evolution
CVE-2025-5777, dubbed “Citrix Bleed 2,” carries a CVSS rating of 9.2 and represents a harmful evolution of the unique Citrix Bleed vulnerability that wreaked havoc in 2023.
This new vulnerability stems from inadequate enter validation, leading to out-of-bounds reminiscence reads that permit attackers to extract delicate authentication knowledge.
What makes Citrix Bleed 2 notably insidious is its focusing on mechanism. Whereas the unique centered on session cookies, this variant targets session tokens used throughout API calls and protracted utility periods, probably granting attackers longer-lived entry. Even after customers terminate browser periods, attackers may preserve unauthorized entry by way of hijacked session tokens.
ReliaQuest researchers noticed regarding indicators suggesting lively exploitation, together with hijacked Citrix internet periods the place authentication was granted with out person data, indicating profitable MFA bypass.
The exploitation contains session reuse throughout a number of IP addresses, combining anticipated and suspicious sources.
CVE-2025-6543 carries a CVSS rating of 9.3 and has been confirmed as actively exploited by Citrix. This reminiscence overflow vulnerability impacts the identical NetScaler configurations however poses completely different threats. Profitable exploitation results in denial-of-service circumstances that may shut down vital community infrastructure.
Citrix acknowledged lively exploitation, stating that “exploits of CVE-2025-6543 on unmitigated home equipment have been noticed.”
Safety analysts documented refined assault patterns, suggesting involvement by a sophisticated risk actor. ReliaQuest noticed a number of situations of “ADExplorer64.exe” being deployed throughout compromised environments. Attackers have weaponized this Microsoft instrument to conduct in depth area reconnaissance actions.
Researchers detected LDAP queries related to Lively Listing reconnaissance and Citrix periods originating from data-center-hosting IP addresses, together with client VPN companies like DataCamp, suggesting refined obfuscation methods.
NetScaler home equipment function vital infrastructure elements, appearing as gateways for distant entry to company purposes and knowledge facilities. These programs usually function main entry factors for distant employees, making them high-value targets.
The authentication bypass capabilities are notably regarding as a result of they circumvent multi-factor authentication mechanisms that organizations rely on as vital safety controls.
Citrix launched up to date NetScaler builds addressing each vulnerabilities. Really useful patched variations embrace NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases, and 13.1-58.32 and later releases of 13.1.
Critically, Citrix suggested directors to execute particular instructions after patching: “kill icaconnection -all” and “kill pcoipConnection -all” to terminate lively periods and forestall attackers from sustaining entry by way of beforehand hijacked periods.
NetScaler variations 12.1 and 13.0 have reached end-of-life standing and won’t obtain safety patches. Organizations operating these legacy variations face indefinite publicity and are strongly urged to improve instantly.
Organizations should instantly apply safety patches to all NetScaler programs, notably internet-facing home equipment. Put up-patching procedures are equally vital – directors should terminate all lively periods to invalidate any compromised tokens.
Examine reside malware conduct, hint each step of an assault, and make sooner, smarter safety choices -> Attempt ANY.RUN now
