Citrix Bleed 2 exploited weeks before PoCs as Citrix denied attacks

Source: BleepingComputer

Author: Lawrence Abrams

URL: https://www.bleepingcomputer.com/news/security/citrix-bleed-2-exploited-weeks-before-pocs-as-citrix-denied-attacks/

ONE SENTENCE SUMMARY:

Citrix’s critical vulnerability “CitrixBleed 2” was exploited before public PoC release, prompting patch urgency and revealing transparency issues.

MAIN POINTS:

1. CVE-2025-5777, known as CitrixBleed 2, faced early exploitation despite no initial evidence claims by Citrix.
2. GreyNoise detected attacks from China beginning June 23, 2025, before PoC release.
3. Exploitation allowed attackers to extract sensitive data by manipulating login parameters.
4. Citrix was slow to acknowledge active exploitation and did not update advisories timely.
5. Security researcher Kevin Beaumont identified indicators of exploitation attempts in logs.
6. Misconfigured session terminations advised by Citrix may not fully prevent exploitation.
7. Over 120 companies compromised by the vulnerability as of June 2025.
8. Imperva reported 11.5 million attempts, with heavy targeting of the financial sector.
9. Citrix urged immediate patching of affected NetScaler versions for security.
10. No mitigations exist beyond patching; outdated versions need upgrading.

TAKEAWAYS:

1. Immediate patching is essential to protect systems against CVE-2025-5777.
2. Citrix’s advisory and communication processes need improvement for better transparency.
3. Monitoring specific log activities can help identify attempted exploitations early.
4. Organizations must address all session types for complete security.
5. Financial and other critical sectors need heightened vigilance due to targeted attacks.