Citrix is back with vulnerability news no one wanted. CitrixBleed2 is affecting Citrix NetScaler ADC and Gateway devices between versions 14.1 and 47.46.
Exploitation of CVE-2025-5777 can lead to unauthenticated attackers extracting session tokens directly from memory. These tokens can grant full access to user sessions, even if multi-factor authentication (MFA) is enabled.
This flaw is a continuation of the original CitrixBleed vulnerability discovered in 2023, but with expanded impact and broader exploitability.
Recommended CitrixBleed Mitigations
Immediate Actions
- Apply Citrix Patches Immediately
- Update to NetScaler ADC and Gateway versions:
- 14.1-43.56 or later
- 13.1-58.32 or later
- FIPS/NDcPP builds: 13.1-37.235 and 12.1-55.328
- End-of-life versions (13.0 and 12.1) will not receive patches—upgrade is mandatory
- Update to NetScaler ADC and Gateway versions:
- Terminate Active Sessions Post-Patch
- Attackers may reuse stolen session tokens even after patching.
- Use Citrix CLI commands to:
- Review active sessions (show icaconnection)
- Terminate them (clear icaconnection)
- Audit for Suspicious Activity
- Look for:
- Session reuse across multiple IPs
- MFA bypass without password entry
- Look for:
- Detect Exploitation Attempts
- Use tools like THOR Lite to scan for post-exploitation artifacts
- Analyze NetScaler logs:
- grep -i “session_token_leak” /var/log/netscaler/access.log
- Check Windows Event Logs for token misuse:
- Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4648 -and $_.Message -like “Citrix” }
- Block Suspicious IPs
- Add ACL rules in NetScaler:
- add ns acl Block_CitrixBleed2 DENY -srcIP -destPort 443
- Add ACL rules in NetScaler:
- Harden NetScaler Configurations
- Disable unused services like SSLVPN:
- disable ns feature SSLVPN
- Restrict session token permissions
- Validate login functionality post-patch—some environments may experience issues due to new Content Security Policy headers
- Disable unused services like SSLVPN:
Monitoring & Detection
- Review logs for unusual session activity, especially login events that lack full credential authentication.
- Deploy enhanced telemetry tools to scan NetScaler memory for suspicious artifacts.
Additional Best Practices
- Enable strict access controls and geo-fencing if possible.
- Audit MFA configurations and enforce token revalidation.
- Segment Citrix infrastructure from other critical systems to reduce lateral movement risk.
CitrixBleed References
- https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_6543
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5777
