While Citrix has observed some instances where CVE-2025-6543 has been exploited on vulnerable NetScaler networking appliances, the company still says that they don’t have evidence of exploitation for CVE-2025-5349 or CVE-2025-5777, both of which have been patched earlier this month.
CVE-2025-5777, in particular, has captured the attention of infosec professionals due to its similarity to CVE-2023-4966, aka CitrixBleed. Consequently, CVE-2025-5777 has been informally dubbed “CitrixBleed 2” by security researcher Kevin Beaumont.
Both CitrixBleed and CitrixBleed 2 allow remote unauthenticated attackers to read memory from NetScaler devices and potentially acquire sensitive active session tokens. They can then be used to hijack those sessions and effectively bypass all authentication controls.
It was initially stated that CVE-2025-5777 applied to the NetScaler devices’ management interface, but that claim was later deleted from NIST’s CVE description.
On Thursday, ReliaQuest’s researchers said that they observed indicators that may point towards in-the-wild CVE-2025-5777 exploitation.
Those indicatorse indicators include: hijacked web session from the NetScaler device; session reuse across multiple IPs (both expected and suspicious ones); and Citrix sessions originating from IP addresses associated with consumer VPN services.
The attackers have also used LDAP queries and specific tools (ADExplorer64.exe) that point to Active Directory reconnaissance activities.
Other security outfits have either said they haven’t seen exploitation attempts or are keeping mum about it for the time being.
Still, many have noted that even if CitrixBleed 2 is currently not exploited, it’s highly likely that it will be, very soon.
What to do?
Customers have been advised to implement the patches for all three NetScaler vulnerabilities fixed this month and to terminate all active ICA and PCoIP sessions.
The company is also ready to share indicators of compromise related to CVE-2025-6543 exploitation, and has urged customers “with concerns where they see anomalies in their system behaviour, including random system crashes” to contact the Citrix Customer Support team.
Anil Shetty, senior VP of Engineering at NetScaler, said on Friday that CVE-2025-5349 and CVE-2025-5777 are not linked to CVE-2025-6543.
Censys detects nearly 70,000 exposed NetScaler Gateway & ADC instances online, but could only see that a small number (around 135) run vulnerable versions. Also, that the devices are mostly used in the US and Europe.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
