NetScaler – CISA confirms hackers are actively exploiting critical ‘Citrix Bleed 2’ bug
Yahoo — U.S. cybersecurity agency CISA says hackers are actively exploiting a critical-rated security flaw in a widely used Citrix product, and has given other federal government departments just one day to patch their systems.
Security researchers have dubbed the bug “Citrix Bleed 2” for its similarity to a 2023 security flaw in Citrix NetScaler, a networking product that large companies and governments rely on for allowing their staff to remotely access apps and other resources on their internal networks. Much like the earlier bug, Citrix Bleed 2 can be remotely exploited to extract sensitive credentials from an affected NetScaler device, allowing the hackers broader access to a company’s wider network.
In an alert on Thursday, CISA said it had evidence that the bug was being actively used in hacking campaigns, adding to the raft of research and findings pointing to widespread exploitation, with some reporting hacks dating back as far as mid-June. Akamai said it saw a “drastic increase” in efforts to scan the internet for affected devices after details of the NetScaler exploit were published earlier this week.
CISA said the NetScaler bug poses a “significant risk” to the federal government’s systems, and ordered federal government agencies to patch any Citrix device affected by the bug by Friday.
For its part, Citrix has not yet acknowledged that the vulnerability is being exploited. The company’s security advisory urges customers to update affected devices as soon as possible.
Citrix representatives did not respond to TechCrunch’s request for comment.
Background
refers to a critical security vulnerability in Citrix NetScaler (formerly Citrix ADC) Gateway devices, officially tracked as CVE-2025-5777. This flaw is a pre-authentication memory leak that allows attackers to remotely extract sensitive data—specifically, session tokens—from memory, enabling them to bypass authentication mechanisms (including multi-factor authentication) and hijack user sessions2456.
-
The vulnerability is triggered when an attacker sends a malformed HTTP POST request to the NetScaler authentication endpoint, specifically omitting a value or equals sign in the
loginparameter45. -
Due to insufficient input validation in the backend code, the system responds with uninitialized memory data inside an XML tag (
<InitialValue>), leaking up to about 127 bytes of stack memory per request45. -
By repeatedly sending such requests, attackers can harvest session tokens and other sensitive information from memory, which can then be used to impersonate users, bypass authentication, and gain unauthorized access to internal systems—even after legitimate users have logged out2456.
-
: The vulnerability is being actively exploited in the wild, with over 2,100 unpatched NetScaler servers confirmed exposed as of July 2025168.
-
: Attackers can hijack sessions and bypass multi-factor authentication by reusing stolen session tokens26.
-
: The flaw affects public-facing NetScaler appliances used for remote access, load balancing, and application delivery in enterprises, government, healthcare, and finance sectors16.
-
: Attackers often mimic legitimate session traffic, making detection challenging for traditional security tools6.
-
The name “Citrix Bleed 2” comes from its similarity to the 2023 Citrix Bleed (CVE-2023-4966) vulnerability, which also involved memory disclosure and session hijacking. However, Citrix has stated that the two vulnerabilities are not directly related in code, though their effects and exploitation methods are similar2345.