- Citrixbleed 2 was discovered at the end of June 2025
- Most instances have not yet been paved
- Security researchers warn that the error is likely to be exploited
Citrixbleed 2, a vulnerability in Citrix Netscaler ADC and Netscaler Gateway, is now actively exploited in nature, warned multiple researchers.
Security researchers recently found a critical severity vulnerability in these cases that could allow actors to host user sessions and obtain access to specific environments.
The fault, described as a vulnerability of insufficient input validation that leads to the surpassed memory, is traced as CVE-2025-5777 and affects the versions of the device 14.1 and before 47.46, and from 13.1 and before 59.19. Given its similarity with an previous Citrix vulnerability called Citrixbleed, security researchers called it Citrixbleed 2.
(No) Evidence of abuse
A patch was made available shortly after, but apparently, most of the instances have not yet been paved, and threat actors are taking advantage of that fact. Multiple security researchers, including Reliakest, Watchtowr and Horizon3.AI, have warned users of current exploitation campaigns.
The registration Notes Watchtowr Labs found a “significant portion of the Citrix Netscaler users” “had not yet been poured against Citrixed 2, urging everyone to do so, since the error is” trivial “to exploit.
“Previously, we declared that we did not intend to publish this vulnerability analysis,” the investigators said. However, the “minimal” information about the defect “puts these users in a difficult position when determining if they need to sound an internal alarm.”
Shortly after, Horizon3.
At the same time, Citrix is giving mixed signs if insects are really being exploited in nature. The company is redirecting all media consultations to a blog post that discusses the matter, in which it says “currently, there is no evidence to suggest the exploitation of CVE-2025-5777”.
However, in the frequent questions of the same blog post, he also said that “the immediate installation of the recommended updates is critically important due to the identified gravity of this vulnerability and evidence of active exploitation.” It leaves something vague if this response is related to Citrixed 2, or a different vulnerability.
Finally, in another part of the frequent questions, he says “we are currently not aware of any exploitation evidence for CVE-2025-5349 or CVE-2025-5777”.
We would advise everyone to parce, just to be safe, especially because Citrixbleed was being abused by the nation’s states in highly specific attacks.
