Over 3,300 NetScaler devices left unpatched against CitrixBleed 2 bug

A critical vulnerability in the Citrix NetScaler device has left over 3,300 devices unpatched, exposing them to a range of serious security risks. The vulnerability, tracked as CVE-2025-5777 and referred to as CitrixBleed 2, allows attackers to bypass authentication by hijacking user sessions. This out-of-bounds memory read vulnerability results from insufficient input validation, enabling unauthenticated attackers to access restricted memory regions remotely on devices configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

Consequences of the Vulnerability

If successfully exploited, this security flaw could enable threat actors to steal session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers. This would allow attackers to hijack user sessions and bypass multi-factor authentication (MFA), providing them with unauthorized access to sensitive information.

History of Exploitation

A similar Citrix security flaw, known as "CitrixBleed," was exploited two years ago to hack NetScaler devices and move laterally across compromised networks in ransomware attacks and breaches targeting government entities. The current vulnerability has been reported to be exploited in zero-day attacks, with proof-of-concept (PoC) exploits released less than two weeks after the flaw was disclosed.

Shadowserver Report

Security analysts from the internet security nonprofit Shadowserver Foundation reported that 3,312 Citrix NetScaler appliances were still vulnerable to ongoing CVE-2025-5777 attacks. Additionally, they spotted 4,142 such devices left unpatched against another critical vulnerability (CVE-2025-6543), which Citrix has tagged as actively exploited in denial-of-service (DoS) attacks.

Netherlands' National Cyber Security Centre (NCSC) Alert

The Netherlands' National Cyber Security Centre (NCSC) warned on Monday that attackers have exploited this flaw as a zero-day since at least early May to breach multiple critical organizations in the country. The NCSC has determined that multiple critical organizations in the Netherlands have been successfully attacked via a vulnerability identified as CVE-2025-6543 in Citrix NetScaler.

CISA's Alert and Recommendations

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its catalog of actively exploited vulnerabilities, ordering federal agencies to secure their systems against CVE-2025-5777 attacks within a day and against CVE-2025-6543 exploitation by July 21st. The public is also advised to take immediate action to patch these vulnerabilities.

Consequences for Organizations

The recent breaches targeting critical organizations in the Netherlands highlight the potential consequences of not patching this vulnerability. It is essential for organizations to take swift action to secure their systems against CVE-2025-5777 and CVE-2025-6543 exploitation.

Patch Now: Protect Your Organization

Citrix Bleed 2 flaw now believed to be exploited in attacks, so patch your system as soon as possible. Public exploits released for Citrix Bleed 2 NetScaler flaw, so there is no time to waste.