- Citrixbleed 2 was discovered at the end of June 2025
- The majority of cases have not yet been corrected
- Security researchers warn that the bug is probably already exploited
Citrixbleed 2, a vulnerability in Citrix Netscaler ADC and Netscal Gateway, is now actively exploited in the wild, have warned several researchers.
Security researchers recently found a vulnerability of critical severity in these cases, which could allow actors to threaten to divert user sessions and access targeted environments.
The fault, described as an insufficient entry validation vulnerability which leads to memory memory, is followed as CVE-2025-5777, and affects the versions of the device 14.1 and before 47.46, and from 13.1 and before 59.19. Given its similarity with a previous vulnerability Citrix called Citriced, safety researchers have nicknamed it Citrixed 2.
(No) abuse evidence
A patch was made available shortly after, but apparently, the majority of cases have not yet been corrected, and the threat actors therefore benefit. Several security researchers, including Liviaquet, Watchtowr and Horizon3.ai, have warned users of current operating campaigns.
The register Notes Watchtowr Labs found a “significant part of the Citrix Netscaller user base” had not yet correctly corrected against Citrixbleed 2, urging everyone to do so since the bug is “trivial” to exploit.
“Previously, we said that we did not intend to publish this vulnerability analysis,” said the researchers. However, the sharing of “minimal” information on the fault “places these users in a difficult position when they determine if they need to ring an internal alarm.”
Shortly after, Horizon3.ai said: “The actors now threatened are likely to include it in their tool boxes.”
At the same time, Citrix gives mixed signals, that the bugs are really exploited in the wild. The company redirects all requests from the media to a blog post discusing the question, in which it says “currently, there is no evidence suggesting the exploitation of CVE-2025-5777”.
However, in the FAQ of the same blog article, he also said that “the immediate installation of recommended updates is of crucial importance due to the identified severity of this vulnerability and active operating evidence.” It is left somewhat vague if this response relates to CitriD 2, or a different vulnerability.
Finally, elsewhere in the FAQ, he indicates: “We currently know no proof of exploitation for CVE-2025-5349 or CVE-2025-5777.”
We advise everyone to spread, just to be safe, especially since Citrriceed was mistreated by nation states in very targeted attacks.
