Just to be super clear, although Citrix claim that CitrixBleed 2 is in no way related to CitrixBleed, it allows direct session token theft - Citrix are wrong. Horizon3 have the POC and it's already being exploited - Citrix were also wrong.
"Not the most novel thing in the worldβ¦ but this is much much worse than it initially appears. Take a look at the following video where youβll see that itβs possible to receive legitimate user session tokens via this vector. "
Exploitation IOCs for CVE-2025-5777 aka CitrixBleed 2, these are actively stealing sessions to bypass MFA for almost a month. Some are also doing Netscaler fingerprint scanning first.
64.176.50.109
139.162.47.194
38.154.237.100
38.180.148.215
102.129.235.108
121.237.80.241
45.135.232.2
HT @ntkramer@infosec.exchange and the folks at @greynoise@infosec.exchange
Look for lots of connections to your Netscaler devices over past 30 days. More IPs coming as also under mass exploitation. More IPs: https://viz.greynoise.io/tags/citrixbleed-2-cve-2025-5777-attempt?days=30
Horizon3 have a good write up here, I don't think they were aware this is already being exploited for almost a month: https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/
Worth noting I was only able to find exploitation activity due to the WatchTowr and Horizon3 write ups - Citrix support wouldn't disclose any IOCs and incorrectly claimed (again - happened with CitrixBleed) that no exploitation in the wild. Citrix have gotta get better at this, they're harming customers.
Just to be super clear, although Citrix claim that CitrixBleed 2 is in no way related to CitrixBleed, it allows direct session token theft - Citrix are wrong. Horizon3 have the POC and it's already being exploited - Citrix were also wrong.
"Not the most novel thing in the worldβ¦ but this is much much worse than it initially appears. Take a look at the following video where youβll see that itβs possible to receive legitimate user session tokens via this vector. "
CVE-2025-5777 (Citrix Netscaler vuln) has been under active exploitation since mid June, with people dumping memory and using this to try to access sessions.
TTPs to hunt for:
- In Netscaler logs, repeated POST requests to doAuthentication - each one yields 126 bytes of RAM
- In Netscaler logs, requests to doAuthentication.do with "Content-Length: 5"
- In Netscaler user logs, lines with LOGOFF and user = "*#*" (i.e. # symbol in the username). RAM is played into the wrong field.
Horizon3 have a good write up here, I don't think they were aware this is already being exploited for almost a month: https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/
Worth noting I was only able to find exploitation activity due to the WatchTowr and Horizon3 write ups - Citrix support wouldn't disclose any IOCs and incorrectly claimed (again - happened with CitrixBleed) that no exploitation in the wild. Citrix have gotta get better at this, they're harming customers.
CVE-2025-5777 is under active exploitation, since before the WatchTowr blog.
CVE-2025-5777 (Citrix Netscaler vuln) has been under active exploitation since mid June, with people dumping memory and using this to try to access sessions.
TTPs to hunt for:
- In Netscaler logs, repeated POST requests to doAuthentication - each one yields 126 bytes of RAM
- In Netscaler logs, requests to doAuthentication.do with "Content-Length: 5"
- In Netscaler user logs, lines with LOGOFF and user = "*#*" (i.e. # symbol in the username). RAM is played into the wrong field.
Updated scan results for CVE-2025-5777: https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
It's still partial due to bugs, but about 18k servers.
CVE-2025-5777 is under active exploitation, since before the WatchTowr blog.
First exploitation details for CVE-2025-5777 - the Netscaler vuln - are out. https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/
If you call the login page, it leaks memory in the response π€£
I donβt want to specify too much extra technical info on this yet - but if you keep leaking the memory via requests, thereβs a way to reestablish existing ICA sessions from the leaked memory.
Updated scan results for CVE-2025-5777: https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
It's still partial due to bugs, but about 18k servers.
If anybody likes stats
- Of the 42 identified NHS Netscalers so far, 37 are patchedπ₯³
The NHS are really good at this nowadays.
- Of the 65 identified .gov.uk Netscalers so far, only 48 are patched π
All of the unpatched are councils, which are obviously severely budget constrained in many cases - I'm also not sure they actually know they're supposed to be patching.
First exploitation details for CVE-2025-5777 - the Netscaler vuln - are out. https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/
If you call the login page, it leaks memory in the response π€£
I donβt want to specify too much extra technical info on this yet - but if you keep leaking the memory via requests, thereβs a way to reestablish existing ICA sessions from the leaked memory.
If anybody is wondering btw it's 4047 definitely vulnerable (so far) from 17021 scanned instances - so 24% unpatched after about 3 weeks.
But scan is still running obvs so the vuln number will keep growing.
If anybody likes stats
- Of the 42 identified NHS Netscalers so far, 37 are patchedπ₯³ The NHS are really good at this nowadays.
- Of the 65 identified .gov.uk Netscalers so far, only 48 are patched π
All of the unpatched are councils, which are obviously severely budget constrained in many cases - I'm also not sure they actually know they're supposed to be patching.
I've published my scan in progress of CVE-2025-5777 patching status, listing IPs, hostnames, Citrix Netscaler build numbers and if they're vulnerable to CitrixBleed2.
The scan isn't finished yet so these are only about a quarter of the results - unfortunately my coding skills are shite and it's really slow - should be finished over weekend or early next week.
Also, the SSL certificate hostnames are separated by comma which throws out CSV - sorry, I'll fix that later.
https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
If anybody is wondering btw it's 4047 definitely vulnerable (so far) from 17021 scanned instances - so 24% unpatched after about 3 weeks.
But scan is still running obvs so the vuln number will keep growing.
Further suggestions CVE-2025-5777 details will release next week. https://xcancel.com/Horizon3Attack/status/1940879804221522279 via https://horizon3.ai
I've published my scan in progress of CVE-2025-5777 patching status, listing IPs, hostnames, Citrix Netscaler build numbers and if they're vulnerable to CitrixBleed2.
The scan isn't finished yet so these are only about a quarter of the results - unfortunately my coding skills are shite and it's really slow - should be finished over weekend or early next week.
Also, the SSL certificate hostnames are separated by comma which throws out CSV - sorry, I'll fix that later.
https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
Kevin Beaumont