- Citrixbleed 2 was discovered in mid-June 2025
- But there were quickly abuse relationships in the wild
- Cisa now urges FCEB agencies to patcher immediately
The American Cybersecurity and Infrastructure Safety Agency (CISA) has added Citrixbleed 2 to its known catalog on the exploited vulnerabilities (KEV), alerting federal civil branches (FCEB), as well as other companies, that the BUG is actively exploited in the wild.
On July 10, Cisa added CVE-2025-5777 to the catalog-a vulnerability of insufficient critical severity (9.3/10) which leads to memory memory. It affects the Citrix Netscaler ADC and Netscaling gateway devices, versions 14.1 and before 47.46, and from 13.1 and before 59.19.
It can be mistreated against Vulnerable Netscular ADC and NetSCALALAr devices to extract the content from sensitive memory, including session tokens, identification information and potentially other user data, without authentication. Given its similarity with a previous vulnerability Citrix called Citriced, safety researchers have nicknamed it Citrixed 2.
“Significant risk”
The bug was discovered for the first time in mid-June 2025, and in early July, there were already abuse relationships in the wild.
Citrix has published a patch but apparently, the majority of cases have not yet been corrected, with a unique opportunity for cybercriminals.
Several security researchers, including Liviaquet, Watchtowr and Horizon3.ai, have warned users of current operating campaigns. Akamai also added that he observed a “radical increase” of the scan for potentially vulnerable netscaling termination criteria.
Now the CISA has also confirmed attack reports in the windows.
“These types of vulnerabilities are frequent attack vectors for malicious cyber-actors and present significant risks for the federal enterprise,” he said in a short security notice.
What is also interesting is the tight deadline that this has given FCEB agencies to correct their parameters. Usually, agencies have 21 days to apply the fix or stop using the affected software completely. In this case, the deadline was – only 24 hours.
Citrix has not yet unequivocally declared that the bugs were exploited. However, he urged everyone to apply the patch without delay.
Via Techcrunch
