Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Security analysts have unlocked just how dangerous the latest Citrix NetScaler vulnerabilities can be.
Experts have been concerned about two recently disclosed vulnerabilities in Citrix’s NetScaler platform since late last month, and now analysts have released a pair of proof-of-concept exploits that show they are absolutely right to be worried.
Already dubbed CitrixBleed2, after a 2023 bug that was widely exploited by cyber criminals in 2023, CVE-2025-5349 and CVE-2025-5777 were reported on 17 June. A week later, the Australian Cyber Security Centre (ACSC) released an “act now” alert regarding the vulnerabilities, and there is already evidence that the bugs are being actively exploited.
Now, both watchTowr and Horizon3 have released working proof of how CVE-2025-5777 can be actively exploited.
By simply sending a properly formatted login request, a malicious actor can slowly “bleed” whatever is in the appliance’s memory stack. As watchTowr noted in a 4 July blog post, you can repeat the process enough times that “eventually, you might land on something valuable”.
“Since this is a memory leak and inherently non-deterministic, there’s always a chance that running the tool for a longer period might eventually surface something more valuable,” it said.
While watchTowr’s experiments proved the memory leak was real, they did not leak anything valuable. However, Horizon3’s research did exactly that, using the same technique to extract user session tokens from a NetScaler appliance’s memory.
“In terms of post-exploitation activities, we assume similar actions from the original CitrixBleed may be taken,” Horizon3 said in a 7 July blog post.
“These actions include adding backdoor accounts, dumping and modifying the running config with persistence mechanisms, and installing remote access utilities.”
Fixes for both CVE-2025-5349 and CVE-2025-5777 are available now, and it’s highly recommended that all network operators update their devices immediately.
“Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible,” Citrix said. These versions are:
In addition, Citrix has now disclosed a third critical NetScaler vulnerability, CVE-2025-6543, which was added to the ACSC’s “act now” alert last week. Citrix describes this latest vulnerability as a memory overflow vulnerability that could lead to “unintended control flow and denial of service”.
While Citrix has denied evidence of in-the-wild exploitation of the previous CVEs (a claim which cyber security firm ReliaQuest disagrees with), Citrix has reported in-the-wild exploitation of this newest vulnerability.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
