If anybody likes stats
- Of the 42 identified NHS Netscalers so far, 37 are patchedπ₯³
The NHS are really good at this nowadays.
- Of the 65 identified .gov.uk Netscalers so far, only 48 are patched π
All of the unpatched are councils, which are obviously severely budget constrained in many cases - I'm also not sure they actually know they're supposed to be patching.
First exploitation details for CVE-2025-5777 - the Netscaler vuln - are out. https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/
If you call the login page, it leaks memory in the response π€£
I donβt want to specify too much extra technical info on this yet - but if you keep leaking the memory via requests, thereβs a way to reestablish existing ICA sessions from the leaked memory.
Updated scan results for CVE-2025-5777: https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
It's still partial due to bugs, but about 18k servers.
CVE-2025-5777 is under active exploitation, since before the WatchTowr blog.
CVE-2025-5777 (Citrix Netscaler vuln) has been under active exploitation since mid June, with people dumping memory and using this to try to access sessions.
TTPs to hunt for:
- In Netscaler logs, repeated POST requests to doAuthentication - each one yields 126 bytes of RAM
- In Netscaler logs, requests to doAuthentication.do with "Content-Length: 5"
- In Netscaler user logs, lines with LOGOFF and user = "*#*" (i.e. # symbol in the username). RAM is played into the wrong field.
Horizon3 have a good write up here, I don't think they were aware this is already being exploited for almost a month: https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/
Worth noting I was only able to find exploitation activity due to the WatchTowr and Horizon3 write ups - Citrix support wouldn't disclose any IOCs and incorrectly claimed (again - happened with CitrixBleed) that no exploitation in the wild. Citrix have gotta get better at this, they're harming customers.
Just to be super clear, although Citrix claim that CitrixBleed 2 is in no way related to CitrixBleed, it allows direct session token theft - Citrix are wrong. Horizon3 have the POC and it's already being exploited - Citrix were also wrong.
"Not the most novel thing in the worldβ¦ but this is much much worse than it initially appears. Take a look at the following video where youβll see that itβs possible to receive legitimate user session tokens via this vector. "
Exploitation IOCs for CVE-2025-5777 aka CitrixBleed 2, these are actively stealing sessions to bypass MFA for almost a month. Some are also doing Netscaler fingerprint scanning first.
64.176.50.109
139.162.47.194
38.154.237.100
38.180.148.215
102.129.235.108
121.237.80.241
45.135.232.2
HT @ntkramer@infosec.exchange and the folks at @greynoise@infosec.exchange
Look for lots of connections to your Netscaler devices over past 30 days. More IPs coming as also under mass exploitation. More IPs: https://viz.greynoise.io/tags/citrixbleed-2-cve-2025-5777-attempt?days=30
More from @greynoise@infosec.exchange telemetry - they now push CVE-2025-5777 (CitrixBleed 2) exploitation to June 23rd. I can push it back further, blog incoming.
I wrote up a thing on how to hunt for CitrixBleed 2 exploitation
https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71
Thereβs 7 more IPs on GreyNoise exploiting CitrixBleed 2 today, all marked as malicious. https://viz.greynoise.io/query/tags:%22CitrixBleed%202%20CVE-2025-5777%20Attempt%22%20last_seen:90d
βCitrix declined to say if it's aware of active exploitationβ
It is aware. https://arstechnica.com/security/2025/07/critical-citrixbleed-2-vulnerability-has-been-under-active-exploit-for-weeks/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social
I believe Citrix may have made a mistake in the patching instructions for CitrixBleed2 aka CVE-2025-5777.
They say to do the instructions on the left, but they appear to have missed other session types (e.g. AAA) which have session cookies that can be stolen and replayed with CitrixBleed2. On the right is the CitrixBleed1 instructions.
The net impact is, if you patched but a threat actor already took system memory, they can still reuse prior sessions.
Tell anybody you know at Citrix.
CISA have modified the CVE-2025-5777 entry to link to my blog π
Iβm hoping this gets more visibility as a bunch of us can see from Netflow ongoing threat actor Netscaler sessions to.. sensitive orgs.
CVE-2025-5777 aka CitrixBleed 2 has been added to CISA KEV now over evidence of active exploitation.
Citrix are still declining to comment about evidence of exploitation as of writing.
https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/
This is how Citrix are styling Citrix Bleed 2 btw. In the blog thereβs no technical details or detection details or acknowledgement of exploitation. They also directly blame NIST for their CVE description.
From Netflow I can see active victims - including systems owned by the US federal government - so strap in to see where this goes.
Some CitrixBleed2 IOCs; this is a cluster of what appears to be China going brrr, going on for weeks.
38.154.237.100
38.54.59.96
#threatintel
Updated CitrixBleed2 scan results of vuln/not vuln
https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
CISA is giving all civilian agencies 1 day to remediate CitrixBleed 2. It is encouraging all other organisations in the US to do this too.
https://therecord.media/cisa-orders-agencies-patch-citrix-bleed-2
Set up lab of Netscalers just now & owned them.
Two learnings:
1) the default logging isnβt enough to know if youβve been exploited. So if youβre wondering where the victims are, they donβt know theyβre victims as checks will come back clean unless they increased logging before. FW logs w/ IOCs fall back option.
2) the Citrix instructions post patch to clear sessions donβt include the correct session types - ICA will just reconnect as you (threat actor) still have the valid NSC_AAAC cookie.
If you ask Citrix support for IOCs for CVE-2025-5777 and they send you a script to run that looks for .php files - theyβve sent you an unrelated script, which has nothing to do with session hijacking or memory overread.
Updated CitrixBleed 2 scan results: https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
It's down from 24% unpatched to 17% unpatched
The results are partial still, the actual numbers still vuln will be higher.
Imperva WAF have added detection and blocking for CitrixBleed 2 this weekend.
They see it being widely sprayed across the internet today - almost 12 million requests, log4shell level.
The only major vendor Iβve seen who hasnβt added a WAF rule is Citrix - they sell a WAF upsell module for Netscaler, but failed to add detection for their own vulnerability.
Updated Citrix scan results will go on Github in a few days, I've found a bug in the scan results setup which should add ~33% more hosts when fixed.
Spoiler:
CitrixBleed 2 update.
- Citrix have finally, quietly admitted exploitation in the wild -- by not commenting to press and then editing an old blog post and not mentioning it on their security update page.
- Orgs have been under attack from threat actors in Russia and China since June
- It's now under spray and pray, wide exploitation attempts.
https://doublepulsar.com/citrixbleed-2-situation-update-everybody-already-got-owned-503c6d06da9f
Citrix Netscaler internet scan still running, it's found another 1k vulnerable instances so far - will probably update Github later today or tomorrow morning.
It looks like we're back up to 18% of boxes being still vulnerable when the new list is out. It looks like a lot of orgs are patching from my list.
New CitrixBleed 2 scan data:
https://raw.githubusercontent.com/GossiTheDog/scanning/refs/heads/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
+7000 extra hosts added this round, host list is so large you need to use the raw view to see it.
Next set of data publication likely Friday, a month since the patch became available.
3832 orgs/hosts still unpatched.
GreyNoise blog just out about #CitrixBleed2, they see exploitation from IPs in China from June 23rd targeting specifically Netscaler appliances https://www.greynoise.io/blog/exploitation-citrixbleed-2-cve-2025-5777-before-public-poc
Iβm fairly certain the threat actor is Chinese and they reversed the patch to make the exploit.
Citrix continue to be MIA. They still have no detection guidance for customers, and havenβt told customers the extent of the issue.
#CitrixBleed2
With the #CitrixBleed2 patch data I publish it's possible to view the history on Github for each new scan and see when hosts change from vuln to patched.
It's proving incredibly effective at getting orgs to patch. I tried private notifications via HackerOne and such for CitixBleed1 in 2023 and it took months to get orgs to patch. Putting the data public brings accountability for orgs who later get breached - so there's a rush to patch.
It's definitely interesting and may need a scale out.
Citrix have a blog out about hunting for #CitrixBleed2
https://www.netscaler.com/blog/news/evaluating-netscaler-logs-for-indicators-of-attempted-exploitation-of-cve-2025-5777/
It's what was in my earlier blog - look for invalid characters in the username field and duplicate sessions with different IPs
we gettin' there!
This bit is still incomplete in the patching instructions btw - if it's a HA pair you need to additionally reset other session types or you're still vulnerable to session hijack after patching.
I'm still trying to get Citrix to update the instructions.
The Dutch Public Prosecution Office have shut down their Citrix Netscaler and removed all internet access, Dutch media speculating CitrixBleed 2 exploitation.
https://www.techzine.eu/news/security/133163/dutch-department-of-justice-offline-after-citrix-vulnerability/
Justice minister David van Weel told MPs in a briefing that it appears the weakness had been used by third parties to access the department systems.
The justice ministry said the department had applied Citrixβs recommended patches, but these failed to fully eliminate the flaw. https://www.dutchnews.nl/2025/07/prosecution-department-goes-offline-due-to-software-weakness/
Again to reiterate the point in the thread - Citrixβs patching instructions donβt include - for example - resetting AAA sessions when AAA cookies are stealable with the vulnerability. So weβre going to see orgs caught with Citrixβs pants down.
Hereβs the Dutch gov letter and my translation.
Update on the situation at The Hague and the shutdown of the Dutch Public Prosecution Service internet access, NCSC Netherlands issued an update today saying all orgs should hunt for CitrixBleed 2 activity, citing my blog.
They also advise clearing all session types, not just the ones Citrix say in their security advisory.
https://advisories.ncsc.nl/advisory?id=NCSC-2025-0196
Updated #CitrixBleed2 scans https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
Fields - IP, SSL certification hostnames, Netscaler firmware, if vulnerable to CVE-2025-5777
I've had a few orgs contest that they're not vulnerable and the scan is wrong. I've assisted each org, and in each case they've been wrong - they'd patched the wrong Netscaler, the passive HA node etc.
I've been working with @shadowserver@infosec.exchange btw, their scan results for #CitrixBleed2 now show far more vulnerable systems. Their scanning is independent of mine, logic is improving, more orgs will get notifications. I'm going to try getting victims for notification across too.
I might move the Dutch Public Prosecution Service (OM) Citrix Netscaler incident out to a different thread, but the latest update an hour ago from local media is that they are still without internet and remote access, and they're working on several alternatives to continue criminal trials.
I expect we're going to see a wave of Netscaler incidents over the coming months, although how many will publicly disclose is another issue - the Dutch are culturally transparent.
https://nltimes.nl/2025/07/18/dutch-prosecutor-disconnects-internal-systems-internet-vulnerability
The Canadian government cyber centre are this weekend recommending all orgs review historic logs for #CitrixBleed2 compromise, and reset all user sessions https://www.cyber.gc.ca/en/alerts-advisories/vulnerabilities-impacting-citrix-netscaler-adc-netscaler-gateway-cve-2025-5349-cve-2025-5777-cve-2025-6543
The Dutch Public Prosecution Service (OM), which took their systems offline due to #CitrixBleed2 on Friday, are saying they will be offline for weeks. https://nos.nl/artikel/2575857 HT @moartn@tacobelllabs.net
Thereβs a bit more in situation at the OM on Netscaler here: https://www.volkskrant.nl/binnenland/openbaar-ministerie-mogelijk-nog-weken-afgesloten-van-internet-probeert-impact-op-rechtszaken-te-beperken~b6e19434/
The OM say they patched quickly (and my scan data backs this up - they patched around June 24th) however it appears somebody got in (or took a session cookie) before patching took place and now theyβre trying to contain the situation.
The NCSC are strongly advising orgs to follow the advice on my blog re #CitrixBleed2, in hindsight I probably shouldnβt have drawn the logo in MSPaint and titled a section βChina goes brrrrβ.
I think this thread exposes something about the cybersecurity industry and org posture btw - it almost all runs on Windows and EDR telemetry, hence why thereβs little info on this from vendors (Netscaler is closed box appliance - theyβre flying blind) and why orgs arenβt seeing anything, they donβt know how without vendors.
I keep contacting orgs and they have no idea they are compromised or how to investigate.
#CitrixBleed2
The Dutch Public Prosecution Service #CitrixBleed2 incident rolls on - NRC report on an email from the Director of their IT service, where they say βIt is clear that itβs a massive and dramatic incidentβ.
https://www.nrc.nl/nieuws/2025/07/22/digitale-werkomgeving-om-inderdaad-gehackt-onderzoek-moet-uitwijzen-welke-informatie-is-gestolen-a4901019
The Dutch Public Prosecution Service Citrix Netscaler incident is rumbling on. They are working on service recovery.
https://www.databreachtoday.com/dutch-prosecutors-recover-from-suspected-russian-hack-a-29129
#CitrixBleed2
I've updated my CitrixBleed2 scan results for the first time in two weeks (I've been on holiday).
https://raw.githubusercontent.com/GossiTheDog/scanning/refs/heads/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
2637 orgs still vuln
Kevin Beaumont