(TLP:CLEAR) Active Exploitation of CitrixBleed 2 (CVE-2025-5777), Check for Compromise Even if You’ve Patched
Created: Thursday, July 10, 2025 - 14:57
Categories: Cybersecurity, Security Preparedness
Summary: Due to several security research companies’ findings of active exploitation of a high-severity vulnerability in Citrix devices affecting NetScaler ADC and Gateway (CVE-2025-5777) dubbed CitrixBleed 2, members are encouraged to check for probing or compromise of these devices. While Citrix has officially stated they have no evidence of in-the-wild exploitation, watchtower, Horizon3.ai, and ReliaQuest researchers have all shared insights into this vulnerability and evidence suggesting active exploitation.
Analyst Note: Given the criticality of CVE-2025-5777, readily available exploit code, and the ubiquity of Citrix NetScaler ADC and Gateway devices, WaterISAC is sharing this information to increase situational awareness and encourage members to patch vulnerable systems immediately and to check for probing or compromise even if you’ve already patched.
Affected Versions:
- NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
- NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
- NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS
Original Source: https://www.helpnetsecurity.com/2025/07/08/cve-2025-5777-indicators-of-compromise/
Additional Reading:
- How Much More Must We Bleed? – Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777)
- CVE-2025-5777: CitrixBleed 2 Write-Up… Maybe?
- Threat Spotlight: CVE-2025-5777: Citrix Bleed 2 Opens Old Wounds
Mitigation Recommendations:
Related WaterISAC PIRs: 6, 8, 10, 12