Project Hyphae
Search

Bleeding Edge or Just Bleeding? CitrixBleed is Back

Share This Post

Citrix is back with vulnerability news no one wanted. CitrixBleed2 is affecting Citrix NetScaler ADC and Gateway devices between versions 14.1 and 47.46.

Exploitation of CVE-2025-5777 can lead to unauthenticated attackers extracting session tokens directly from memory. These tokens can grant full access to user sessions, even if multi-factor authentication (MFA) is enabled.

This flaw is a continuation of the original CitrixBleed vulnerability discovered in 2023, but with expanded impact and broader exploitability.

Recommended CitrixBleed Mitigations

Immediate Actions

  1. Apply Citrix Patches Immediately
    • Update to NetScaler ADC and Gateway versions:
      • 14.1-43.56 or later
      • 13.1-58.32 or later
      • FIPS/NDcPP builds: 13.1-37.235 and 12.1-55.328
    • End-of-life versions (13.0 and 12.1) will not receive patches—upgrade is mandatory
  2. Terminate Active Sessions Post-Patch
    • Attackers may reuse stolen session tokens even after patching.
    • Use Citrix CLI commands to:
      • Review active sessions (show icaconnection)
      • Terminate them (clear icaconnection)
  3. Audit for Suspicious Activity
    • Look for:
      • Session reuse across multiple IPs
      • MFA bypass without password entry
  4. Detect Exploitation Attempts
    • Use tools like THOR Lite to scan for post-exploitation artifacts
    • Analyze NetScaler logs:
      • grep -i “session_token_leak” /var/log/netscaler/access.log
    • Check Windows Event Logs for token misuse:
      • Get-WinEvent -LogName Security | Where-Object { $_.Id -eq 4648 -and $_.Message -like “Citrix” }
  5. Block Suspicious IPs
    • Add ACL rules in NetScaler:
      • add ns acl Block_CitrixBleed2 DENY -srcIP -destPort 443
  6. Harden NetScaler Configurations
    • Disable unused services like SSLVPN:
      • disable ns feature SSLVPN
      • Restrict session token permissions
      • Validate login functionality post-patch—some environments may experience issues due to new Content Security Policy headers

Monitoring & Detection

  • Review logs for unusual session activity, especially login events that lack full credential authentication.
  • Deploy enhanced telemetry tools to scan NetScaler memory for suspicious artifacts.

Additional Best Practices

  • Enable strict access controls and geo-fencing if possible.
  • Audit MFA configurations and enforce token revalidation.
  • Segment Citrix infrastructure from other critical systems to reduce lateral movement risk.

CitrixBleed References



Reach out to our incident response team for help

More To Explore

Information Security News – 7/28/2025

U.S. Nuclear Weapons Department Compromised in SharePoint Attack Article Link: https://www.neowin.net/news/us-nuclear-weapons-department-compromised-in-sharepoint-attack/ Humans Can Be Tracked with Unique ‘Fingerprint’ Based on How Their Bodies Block Wi-Fi

Jo Moldenhauer July 28, 2025

Information Security News – 7/21/2025

Google Gemini Flaw Hijacks Email Summaries for Phishing Article Link: https://www.bleepingcomputer.com/news/security/google-gemini-flaw-hijacks-email-summaries-for-phishing/   Hackers Exploit a Blind Spot Hiding Malware Inside DNS Records Article Link: https://arstechnica.com/security/2025/07/hackers-exploit-a-blind-spot-by-hiding-malware-inside-dns-records/

Marcus Cylar July 23, 2025

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.