New ‘CitrixBleed 2’ NetScaler flaw let hackers hijack sessions

Source: BleepingComputer

Author: Bill Toulas

URL: https://www.bleepingcomputer.com/news/security/new-citrixbleed-2-netscaler-flaw-let-hackers-hijack-sessions/

ONE SENTENCE SUMMARY:

Citrix warns of critical “CitrixBleed 2” vulnerabilities affecting NetScaler ADC and Gateway devices, potentially exposing sensitive user data.

MAIN POINTS:

1. Citrix disclosed vulnerabilities CVE-2025-5777 and CVE-2025-5349 affecting NetScaler ADC and Gateway devices.
2. CVE-2025-5777 is an out-of-bounds memory read allowing unauthenticated attackers memory access.
3. Vulnerable configurations include Gateway setups like VPN virtual servers, ICA Proxy, CVPN, and AAA servers.
4. Cybersecurity researcher named flaw “CitrixBleed 2” due to similarities with older CitrixBleed vulnerability.
5. Attackers exploiting CVE-2025-5777 could hijack sessions, bypass MFA, and access sensitive credentials.
6. CVE-2025-5349 involves improper access control in NetScaler Management Interface through various IPs.
7. Citrix recommends updating to safe versions: 14.1-43.56, 13.1-58.32, 13.1-NDcPP 13.1-37.235 (FIPS), and 12.1-55.328 (FIPS).
8. Admins should terminate all active ICA and PCoIP sessions after installing patches.
9. End-of-life versions ADC/Gateway 12.1 (non-FIPS) and ADC/Gateway 13.0 will not receive patches.
10. Over 56,500 publicly exposed NetScaler endpoints exist, unclear how many remain vulnerable.

TAKEAWAYS:

1. Immediately update NetScaler ADC and Gateway devices to mitigate “CitrixBleed 2” vulnerabilities.
2. Regularly monitor and terminate suspicious ICA and PCoIP sessions post-update.
3. Replace unsupported end-of-life versions promptly to maintain security posture.
4. Assess publicly exposed NetScaler endpoints to prioritize patching vulnerable systems.
5. Leverage automation to simplify and accelerate patch management processes.