Over 1,200 Citrix servers unpatched against critical auth bypass flaw

A recent discovery by security analysts at the internet security nonprofit Shadowserver Foundation has revealed that over 2,100 Citrix NetScaler ADC and NetScaler Gateway appliances are still vulnerable to a critical authentication bypass flaw. This vulnerability, tracked as CVE-2025-5777 and referred to as Citrix Bleed 2, could allow threat actors to hijack user sessions and bypass multi-factor authentication (MFA) if not patched.

Citrix Bleed 2 is an out-of-bounds memory read vulnerability that results from insufficient input validation. This enables unauthenticated attackers to access restricted memory regions, allowing them to steal session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers. In the past, a similar Citrix security flaw, dubbed "CitrixBleed," was exploited in ransomware attacks and breaches targeting governments in 2023 to hack NetScaler devices and move laterally across compromised networks.

According to Shadowserver, the vulnerability is being actively exploited in targeted attacks. While Citrix has yet to confirm that this security flaw is being exploited in the wild, cybersecurity firm ReliaQuest reported on Thursday with medium confidence that the vulnerability is already being abused by threat actors. "While no public exploitation of CVE-2025-5777, dubbed 'Citrix Bleed 2,' has been reported, ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments," ReliaQuest warned.

ReliaQuest identified indicators suggesting post-exploitation activity following unauthorized Citrix access, including a hijacked Citrix web session indicating a successful MFA bypass attempt, session reuse across multiple IP addresses (including suspicious ones), and LDAP queries linked to Active Directory reconnaissance activities. Shadowserver also found over 2,100 NetScaler appliances unpatched against another critical vulnerability (CVE-2025-6543), now actively exploited in denial-of-service (DoS) attacks.

With both flaws being tagged as critical severity vulnerabilities, administrators are advised to deploy the latest patches from Citrix as soon as possible. Companies should also review their access controls and monitor Citrix NetScaler appliances for suspicious user sessions and activity. While cloud attacks may be growing more sophisticated, attackers still succeed with surprisingly simple techniques.

Cloud Threats: 8 Key Techniques Used by Cloud-Fluent Threat Actors

Despite the growing sophistication of cloud attacks, threat actors are still using surprisingly simple techniques to compromise organizations. Drawing from Wiz's detections across thousands of organizations, this report reveals 8 key techniques used by cloud-fluent threat actors.

1: Phishing Attacks

A phishing attack is a social engineering tactic where attackers send emails or messages that appear to be from a legitimate source, but are actually designed to trick users into revealing sensitive information. In the cloud, phishing attacks can take many forms, including spoofed login pages and attachments.

2: Social Engineering

Social engineering is a psychological manipulation tactic where attackers use persuasion or coercion to get users to reveal sensitive information. This can include techniques like pretexting, baiting, and quid pro quo.

3: Publicly Accessible Credentials

A publicly accessible credential is a password or account that has been left exposed online. Attackers can use tools like Shodan to find these credentials and exploit them for access to sensitive systems.

4: Misconfigured Cloud Resources

Misconfigured cloud resources can provide attackers with an entry point into a system. This can include things like open ports, exposed databases, or unsecured APIs.

5: Insufficient Multi-Factor Authentication

Multi-factor authentication (MFA) is a security feature that requires users to provide multiple forms of verification before access is granted. However, if MFA is not implemented correctly, attackers can bypass it and gain access to sensitive systems.

6: Critical Vulnerabilities

Critical vulnerabilities are software flaws that can be exploited by attackers to gain access to a system. In the cloud, critical vulnerabilities can be particularly devastating if left unpatched.

7: Ambush Phishing

Ambush phishing is a type of social engineering attack where attackers send emails or messages that appear to be from a legitimate source, but are actually designed to trick users into revealing sensitive information. In the cloud, ambush phishing attacks can take many forms.

8: Supply Chain Attacks

A supply chain attack is an attack where attackers target third-party vendors or partners who have access to a system. This can provide a vector for attackers to gain access to sensitive systems.

By understanding these 8 key techniques used by cloud-fluent threat actors, organizations can better protect themselves against cloud attacks and ensure their sensitive data remains secure.