Shortly after the disclosure of two Sudo-related local privilege escalation vulnerabilities affecting major Linux distributions, attention has shifted to a critical security issue in NetScaler ADC, which has already been exploited in the wild. The vulnerability tracked as CVE-2025-5777 is characterized as a memory overflow issue that may lead to unexpected control flow and potential denial-of-service conditions. CVE-2025-5777 gained attention primarily due to its resemblance to the previously disclosed CVE-2023-4966, also known as CitrixBleed, which affected Citrix’s NetScaler ADC and Gateway instances. As a result, CVE-2025-5777 has been unofficially nicknamed “CitrixBleed 2.”
eed 2”.
Detect CVE-2025-5777 Exploitation Attempts
With the digital environment becoming more complex by the day, the volume of newly identified vulnerabilities is rising rapidly, adding significant strain on cybersecurity teams. In 2025 alone, NIST has already documented over 24,000+ CVEs, and projections suggest that figure may exceed 49,000 before the year ends.
Sign up for the SOC Prime Platform to tap into a global active threats feed, featuring actionable threat intelligence and expertly curated detection content designed to help you identify and respond to real-world attacks, including exploitation attempts for the latest CitrixBleed 2 bug.
Specifically, the Platform provides a dedicated rule by the SOC Prime Team that helps to identify exploitation of CVE-2025-5777 (also known as CitrixBleed 2), which involves memory leakage in responses that could lead to the compromise of session tokens and other sensitive data.
Possible CitrixBleed 2 Exploitation Attempt [CVE-2025-5777]
The rule is compatible with 16 SIEM, EDR, and Data Lake Platforms and aligned with the MITRE ATT&CK framework. It addresses Initial Access tactics, with the primary technique being the Exploitation of Public-Facing Applications (T1190). Additionally, each rule within the SOC Prime Platform is enriched with CTI links, attack timelines, audit configurations, and other relevant metadata.
To track the new detection content items detecting CitrixBleed 2 exploits, security professionals might use a corresponding CVE-2025-5777 tag to browse Threat Detection Marketplace or simply press the Explore Detections button below.
For those interested in exploring the full set of rules and queries related to vulnerability exploitation, our extensive library of Sigma rules is available for browsing with a dedicated CVE tag.
Security engineers can also leverage Uncoder AI—a private, non-agentic AI purpose-built for threat-informed detection engineering. With Uncoder, defenders can automatically convert IOCs into actionable hunting queries, craft detection rules from raw threat reports, enable ATT&CK tags prediction, leverage AI-driven query optimization, and translate detection content across multiple platforms.
CVE-2025-5777 Analysis
Expanding the roster of critical Citrix NetScaler zero-days, a new critical vulnerability, CVE-2025-5777, dubbed “CitrixBleed 2” due to its resemblance to CVE-2023-4966 (aka CitrixBleed), has caught the attention of researchers. The nefarious CVE-2023-4966 flaw remained under active exploitation in the wild, even after a patch was released in October 2023.
CVE-2025-5777 with a CVSS score of 9.3 stems from insufficient input validation leading to a memory overread. Similar to its predecessor, CitrixBleed 2 exploits out-of-bounds memory reads to extract authentication data, specifically session tokens, directly from memory. These stolen tokens can be used to bypass MFA and hijack active user sessions, enabling unauthorized access to critical systems. Still, for the vulnerability to be successfully exploited, the appliance must be set up as a Gateway (e.g., VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server.
While both flaws enable authentication bypass and session takeover, CitrixBleed 2 shifts focus from session cookies to session tokens. Unlike cookies, which are generally tied to browser-based sessions, tokens often support persistent authentication mechanisms, like API interactions or long-lived application sessions. As a result, attackers may gain prolonged, stealthy access to multiple systems, even after a user closes their browser or ends their session.
Although it was initially claimed that CVE-2025-5777 impacted the management interface, that statement was later removed from the NIST CVE database. Nonetheless, ReliaQuest researchers observed signs suggesting exploitation in the wild, including session hijacking, use of IPs tied to consumer VPNs, and tools indicative of AD reconnaissance.
The flaw impacts the following supported versions of NetScaler ADC and Gateway: 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, 13.1-FIPS/NDcPP before 13.1-37.235, and 12.1-FIPS before 12.1-55.328. Versions 12.1 and 13.0 are End-of-Life and remain vulnerable. Citrix urges customers to upgrade to supported fixed versions as a prompt CVE-2025-5777 mitigation measure. Additionally, the vendor recommends executing specific commands to terminate all active ICA and PCoIP sessions once all NetScaler appliances in a high-availability pair or cluster have been updated. This action ensures that any potentially compromised sessions initiated before the patch are forcibly closed, minimizing the risk of post-exploitation activity.
With over 69K+ NetScaler Gateway and ADC instances currently exposed online, exploitation risks are rising. However, it remains unclear how many of these are operating on vulnerable software versions. While some vendors have yet to confirm exploitation, many in the security community expect active abuse of CitrixBleed 2 soon. To proactively detect potential vulnerability exploitation attempts, security teams can rely on SOC Prime’s complete product suite backed by AI, automation capabilities, and real-time threat intel, while strengthening the organization’s defenses at scale.
The post CVE-2025-5777 Detection: A New Critical Vulnerability Dubbed “CitrixBleed 2” in NetScaler ADC Faces Exploitation Risk appeared first on SOC Prime.
