Critical CitrixBleed 2 vulnerability has been under active exploit for weeks

A serious security flaw that enables hackers to bypass multifactor authentication in Citrix network management devices has been under active exploitation for over a month, according to cybersecurity researchers. This revelation contradicts Citrix's own statements, which claimed there was no evidence of such exploitation occurring in the wild. Identified as CVE-2025-5777, this vulnerability bears similarities to the notorious CVE-2023-4966, known as CitrixBleed, which previously compromised around 20,000 Citrix devices two years ago. Notable organizations affected during that earlier incident included major players like Boeing, DP World, the Commercial Bank of China, and Allen & Overy law firm. Additionally, a breach at Comcast led to the theft of sensitive information belonging to 36 million Xfinity customers. Both CVE-2025-5777 and its predecessor reside within Citrix's NetScaler Application Delivery Controller and NetScaler Gateway, essential tools for load balancing and single sign-on in enterprise environments. The vulnerability allows compromised devices to “leak” fragments of memory after receiving specially crafted requests from the internet. By repeatedly sending these requests, attackers can assemble enough fragments to reconstruct user credentials. The original CitrixBleed vulnerability was rated with a severity level of 9.8, while CitrixBleed 2 is rated at 9.2. Citrix acknowledged the new vulnerability and issued a security patch on June 17. However, in a follow-up nine days later, the company stated it was “currently unaware of any evidence of exploitation.” No further updates have been provided since then. However, researchers have uncovered evidence suggesting that CitrixBleed 2 has been actively exploited for weeks. Security firm GreyNoise reported on Monday that its honeypot logs indicated exploitation as early as July 1. Independent researcher Kevin Beaumont corroborated this finding, revealing telemetry that showed exploitation began at least by June 23, three days prior to Citrix's claim of no attacks. Researchers have criticized Citrix for not disclosing the evidence of active exploitation, arguing that vital information was missing from their advisories. Last week, security firm watchTowr published a post titled "How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777)," which highlighted this oversight. Similarly, Horizon3.ai echoed these concerns, emphasizing the need for better communication regarding potential attacks on customer networks.