The US cybersecurity agency CISA is calling urgent attention to a recently disclosed Citrix NetScaler vulnerability that has been compared to the infamous CitrixBleed flaw of 2023.
Tracked as CVE-2025-5777 (CVSS score of 9.3), the security defect was disclosed on June 17, when Citrix rolled out patches for it, warning that it could be exploited to read out-of-bounds memory.
The flaw is referred to as CitrixBleed 2, after security researcher Kevin Beaumont compared it to the widely exploited CVE-2023-4966 (dubbed CitrixBleed).
Affecting all NetScaler ADC and NetScaler Gateway deployments configured as a gateway or AAA virtual server, the security defect can be triggered using incorrect login requests, to which the appliance responds with portions of memory content.
Attackers can send repeated requests to NetScaler’s authentication endpoint to retrieve additional memory contents, cybersecurity firms watchTowr and Horizon3.ai revealed in technical writeups.
The exposed information can include session tokens, which can be leveraged to hijack sessions and bypass multi-factor authentication.
In late June, Citrix disputed a ReliaQuest warning that hackers had already started exploiting the security defect, but CISA is now warning of the critical risk CVE-2025-5777 exposes organizations to, after adding the flaw to its Known Exploited Vulnerabilities (KEV) catalog.
Federal agencies typically need to address flaws that are newly added to KEV within three weeks, but they were given a single day to resolve this security defect.
“This vulnerability in Citrix NetScaler ADC and Gateway systems, also referred to as Citrix Bleed 2, poses a significant, unacceptable risk to the security of the federal civilian enterprise,” CISA Acting Executive Assistant Director for Cybersecurity Chris Butera told SecurityWeek.
“As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, CISA is taking urgent action by directing agencies to patch within 24 hours and we encourage all organizations to patch right away,” Butera continued.
Patches for CitrixBleed 2 were included in NetScaler ADC versions 14.1-43.56, 13.1-58.32, 13.1-FIPS, 13.1-NDcPP 13.1-37.235, and 12.1-FIPS 12.1-55.328, and NetScaler Gateway versions 14.1-43.56 and 13.1-58.32.
More than 400 internet-accessible NetScaler instances remain unpatched against this CVE, data from The Shadowserver Foundation shows. Roughly 500 deployments are affected by another critical issue, tracked as CVE 2025-6543 (CVSS score of 9.2), which was exploited as a zero-day.
Related: Critical Wing FTP Server Vulnerability Exploited
Related: CISA Warns of Two Exploited TeleMessage Vulnerabilities
Related: Vulnerabilities in CISA KEV Are Not Equally Critical: Report
Related: Thousands of Citrix NetScaler Instances Unpatched Against Exploited Vulnerabilities
