CitrixBleed 2: Critical NetScaler Vulnerability Enables Session Hijacking and MFA Bypass

A new critical vulnerability in Citrix NetScaler ADC and Gateway systems, dubbed CitrixBleed 2 (CVE-2025-5777), has emerged as a serious threat to remote access infrastructure. This memory exposure flaw allows unauthenticated attackers to extract session tokens directly from device memory — enabling session hijacking and even bypassing multi-factor authentication (MFA). With early evidence of exploitation in the wild and eerie similarities to the original CitrixBleed (CVE-2023-4966), the risk to enterprise environments is substantial.

The vulnerability is caused by insufficient input validation, leading to out-of-bounds memory reads when NetScaler is configured as a Gateway or AAA virtual server. Once session tokens are exfiltrated, attackers can impersonate legitimate users and gain persistent access — often without triggering alerts or violating login controls. Cybersecurity researchers, including ReliaQuest, assess with medium confidence that active exploitation is underway.

This episode breaks down the mechanics of CitrixBleed 2 and explores how it fits into the broader landscape of session hijacking threats and identity-centric attacks. Topics include:

• How CVE-2025-5777 enables unauthorized access via session token exposure
• Technical comparisons with the original CitrixBleed vulnerability
• Session hijacking techniques at both network and application levels, including TCP desynchronization and token theft
• The second NetScaler vulnerability disclosed (CVE-2025-6543) and its denial-of-service impact
• Mitigation steps, including patching to versions 14.1-43.56, 13.1-58.32, or 13.1-37.235
• Defense-in-depth recommendations, including phishing-resistant MFA, endpoint detection and response (EDR), and token revocation protocols
• Incident and vulnerability response strategies aligned with CISA playbooks

CitrixBleed 2 is more than a software bug — it’s a gateway for attackers to silently bypass identity safeguards and establish footholds in enterprise networks. Rapid patching is essential, but long-term protection depends on layered controls, resilient MFA design, and disciplined incident response planning.