Outbreak Alert

Citrix Bleed 2

Released: Aug 06, 2025

Citrix Bleed 2 Vulnerability Tags

High Severity

Watch Video

Critical buffer overread vulnerability

FortiGuard Labs has observed a sharp increase in exploitation attempts targeting the 'Citrix Bleed 2' vulnerability since July 28, 2025. Telemetry indicates activity has surged to over 6,000 detections across IPS sensors globally. The majority of observed attacks are concentrated in the United States, Australia, Germany, and the United Kingdom, with adversaries primarily focusing on high-value sectors such as technology, banking, healthcare, and education. Learn More »

Common Vulnerabilities and Exposures

Background

The vulnerability is named after the infamous Citrix Bleed Attack (CVE-2023-4966) that was previously reported around Oct 2023 and was widely exploited, by multiple threat actors, including ransomware groups. The original flaw also impacted Citrix NetScaler ADC and Gateway appliances.

CVE-2025-5777 is a critical buffer overread vulnerability dubbed as 'Citrix Bleed 2' affecting Citrix NetScaler ADC and NetScaler Gateway. The flaw stems from insufficient input validation, enabling an unauthenticated remote attacker to retrieve portions of the server’s memory. Exploiting this issue could allow attackers to access sensitive data directly from memory, potentially exposing credentials, session tokens, or other confidential information.

CVE-2025-6543 is a memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Citrix reports that exploitation of CVE-2025-6543 against unmitigated appliances has been observed.

CVE-2025-5349, an improper access control on the NetScaler Management Interface.

Latest Development

Recent news and incidents related to cybersecurity threats encompassing various events such as data breaches, cyber-attacks, security incidents, and vulnerabilities discovered.

The organizations using Citrix NetScaler ADC and NetScaler Gateway appliances are strongly recommended to: Review the official Citrix security bulletins, apply all relevant patches and updates as soon as possible and monitor for any suspicious activity.

August 11, 2025: Shadowserver Foundation reported that 3,312 Citrix NetScaler appliances were still vulnerable to ongoing CVE-2025-5777 attacks.
https://bsky.app/profile/shadowserver.bsky.social/post/3lw6z7psrbs2u
July 10, 2025: The CVE-2025-5777 vulnerability was added to CISA's Known Exploited Catalog, based on exploitation in the wild.
June 26, 2025: FortiGuard Threat Signal Report was published.
https://www.fortiguard.com/threat-signal-report/6134/citrix-netscaler-adc-and-netscaler-gateway-vulnerabilities
June 17, 2025: NetScaler ADC and NetScaler Gateway Security Bulletin published by Cirtix.
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420

FortiGuard Cybersecurity Framework

Mitigate security threats and vulnerabilities by leveraging the range of FortiGuard Services.

PROTECT

IPS
Web App Security

DETECT

IOC
Outbreak Detection
Threat Hunting

RESPOND

Automated Response
Assisted Response Services

RECOVER

NOC/SOC Training
End-User Training

IDENTIFY

Attack Surface Monitoring (Inside & Outside)
Attack Surface Hardening

Threat Intelligence

Information gathered from analyzing ongoing cybersecurity events including threat actors, their tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), malware and related vulnerabilities.

References

Sources of information in support and relation to this Outbreak and vendor.

Citrix bulletin

Learn More »

About FortiGuard Outbreak Alerts

Learn More »

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About