A New Reminder of Cyber Risk: The Citrix Bleed 2 Flaw
Modern enterprise networks depend on remote access tools. Solutions like Citrix NetScaler ADC and Gateway make it easy for employees to connect to systems from anywhere securely. But these same systems have become high-value targets for attackers looking to bypass defenses and infiltrate organizations.
The most recent headline-making vulnerability, Citrix Bleed 2 (CVE-2025-5777), is a grim reminder of the reality. First patched back in June of 2025, the bug is now reportedly being used in active attacks. For companies, it’s not a technical aside—it’s a front-of-mind security issue that warrants high priority.
What Is Citrix Bleed 2?
Citrix Bleed 2 is an out-of-bounds read memory vulnerability that is present in Citrix NetScaler ADC and Gateway products. In short, it permits an unauthenticated attacker to view pieces of system memory that they ought not be able to view.
Why is this risky? Leaked memory can potentially hold session tokens, credentials, and other secrets. Attackers can then use those tokens to masquerade as legitimate users without their passwords or even MFA codes. That’s one of the ways they can evade the authentication controls that companies use to prevent attackers.
The vulnerability targets typical gateway setups, e.g., those supporting VPN and secure application access for remote workers. As most companies use such devices in their day-to-day business operations, the attack surface can be enormous.
How Citrix Bleed 2 Works: A Simple Explanation
To a system crash by an attacker, Citrix Bleed 2 steals data silently. Attackers send carefully crafted requests to a vulnerable Citrix server. Rather than rejecting the request, the server sends memory information, including active session tokens among them.
Session tokens are golden keys. When compromised, they allow the attacker to replay an already valid session. MFA cannot even prevent them since they’re not logging in normally—they’re stealing an already authenticated session.
This covert strategy becomes much harder to detect. It is similar to swiping a replica of the office badge of someone and then slipping in through the front entrance like you belong there.
Evidence That Attackers Are Exploiting It
When Citrix first rolled out its patch in mid-June of 2025, there had not yet been any attacks based on this vulnerability. But by late June, security researchers began receiving ominous reports that exploitation was indeed taking place.
Evidence includes:
- Zero User Interaction Session Hijacking: Attackers hijack Citrix sessions with the legitimate user never even having logged in, pointing toward pilfered session tokens.
- Session Reuse on Multiple IPs: The same user session ID was observed being reused from authorized as well as unauthorized IP addresses, indicating towards replay attacks.
- Active Directory Discovery: Once the attackers had gained access to the network, they utilized LDAP queries and tools such as ADExplorer to discover user accounts, groups, and permissions—whopper tales of initial lateral movement.
- VPN and Cloud IP Camouflage: Attacker sessions were identified to originate from consumer VPN services, which masked the actual location of the attackers.
These attacks are the same ones that Map the Network:
provides access to. Lacking any sign of mass exploitation, security companies document medium-confidence tallies of targeted attacks already in action.
Why This Vulnerability Is So Dangerous
Citrix NetScaler appliances are typically located at the edge of the network. They manage logins, require MFA, and safeguard access to sensitive applications. A compromise isn’t just some minor vulnerability—it’s a potential big open door for the entire network.
Worse yet, session tokens do not expire even after a patch. If the attacker compromised the tokens prior to the patch, they will be able to continue accessing systems without anyone being aware. That is why patching alone is not sufficient.
Earlier attacks based on similar vulnerabilities, such as CitrixBleed in 2023, led to high-profile breaches for millions of users. Session cookies hijacked by the thieves were used to bypass authentication and infect with ransomware or steal sensitive data. Citrix Bleed 2 can potentially allow the same level of compromise, if not stopped early.
How Attackers Use the Access They Gain
Bombing Citrix Bleed 2 is only the beginning—a relentless pounding. The attackers will typically once in a while:
- Map the Network: Enumerating users, groups, and permissions through LDAP queries or ADExplorer.
- Move Laterally: Looking for other privileged accounts or sensitive data
- Create Persistence: Sowing new accounts or seeding malware to facilitate persistent access if the initial vulnerability was patched.
- Use Ransomware or Steal Information: The final goals typically involve extortion, information theft, or disruption.
These actions can play out quickly and stealthily, so active protection and monitoring are essential.
Real-World Lessons for All Industries
Citrix Bleed 2 isn’t just a Citrix problem—it’s a wake-up call for everyone. Both criminal and nation-state attackers have repeatedly exploited similar vulnerabilities in high-value infrastructure.
Past breaches show that attackers move quickly when a critical flaw is announced. They scan the internet for unpatched systems and launch automated exploits. Time is of the essence: patch delays of a week or longer can mean the difference between security and breach.
This weakness is also a session hijacking and MFA bypass threat—a method that can circumvent good security software if session management is poorly handled.
Stay Ahead of Emerging Threats
Citrix Bleed 2 highlights an obvious fact: irrespective of how firm your perimeter may be, one vulnerability is enough to permit attackers to waltz right in. Patches should be treated as imperative, not discretionary, by organizations.
But patching is not the solution. Security responders need to think through the entire attack life cycle—preventing initial access all the way to timely detection of suspicious activity, and having well-established response plans in place.
In the end, security against attacks such as Citrix Bleed 2 is a matter of being prepared and taking precautions. By acting in a proactive fashion now, organizations will shut this window of opportunity to attackers and enhance their overall position of security for future challenges.
