A critical new vulnerability dubbed "CitrixBleed 2" is being actively exploited by cybercriminals, marking a dangerous return of session hijacking attacks that plagued organizations in 2023. The critical flaw, tracked as CVE-2025-5777, allows remote attackers to steal session tokens and bypass multi-factor authentication (MFA) without any authentication required.
ReliaQuest published a report in which it claimed "with medium confidence" that attackers are actively exploiting CVE-2025-5777 to gain initial access to targeted environments. The cybersecurity firm identified multiple indicators of compromise, including hijacked Citrix sessions, unauthorized authentication grants, and suspicious session reuse across multiple IP addresses.
How CitrixBleed 2 Works
The vulnerability stems from insufficient input validation in Citrix NetScaler ADC and Gateway devices, leading to an out-of-bounds memory read. Like CitrixBleed (CVE-2023-4966), it may allow unauthorized attackers to grab valid session tokens from the memory of internet-facing Netscaler devices by sending a malformed request.
What makes this particularly dangerous is the scope of exposure. Security researcher Kevin Beaumont, who coined the "CitrixBleed 2" moniker, discovered that over 50,000 potentially vulnerable instances are exposed to the internet through Shodan searches using the favicon hash -1292923998,-1166125415.
The vulnerability affects NetScaler devices configured as Gateway or AAA virtual servers—common setups for remote access in enterprise environments.
Initially, Citrix's advisory mentioned only the management interface, but the company later updated the description to include these broader configurations, significantly expanding the attack surface.
Escalated Threat: Session Tokens vs. Cookies
Unlike session cookies, which are often tied to short-lived browser sessions, session tokens are typically used in broader authentication frameworks, such as API calls or persistent application sessions, according to ReliaQuest researchers.
This distinction makes CitrixBleed 2 potentially more severe than its predecessor, as attackers can maintain access longer and operate across multiple systems even after users terminate their browser sessions.
The vulnerability carries a critical CVSS score of 9.3 and affects NetScaler ADC and Gateway versions from 14.1 before 47.46 and from 13.1 before 59.19. While Citrix initially stated they were not aware of in-the-wild exploitation at the time of disclosure, ReliaQuest's evidence-based assessment suggests active exploitation is likely occurring, adding urgency to patching efforts.
Immediate Action Required
Organizations running vulnerable NetScaler devices should immediately apply the latest patches and terminate all active sessions. Citrix specifically recommends running these commands after upgrading:
kill icaconnection -all kill pcoipConnection -all
Security teams can identify vulnerable internet-facing devices using Shodan searches with organization-specific filters like org:YourOrg http.favicon.hash:-1292923998,-1166125415 or ssl:YourOrg html:Citrix.
Broader Industry Impact
This marks the second major Citrix vulnerability under active exploitation this week, following CVE-2025-6543, which Citrix confirmed is being exploited in the wild. The pattern mirrors the 2023 CitrixBleed campaign that was extensively exploited by ransomware groups and state-sponsored actors.
With evidence mounting for active exploitation and tens of thousands of vulnerable devices exposed, security experts warn that CitrixBleed 2 could trigger another wave of high-profile breaches. Organizations should prioritize immediate patching and implement additional monitoring for unusual session activity, particularly authentication from unexpected IP addresses or rapid session reuse patterns.