CitrixBleed Returns: CVE-2025-5777 and the Exploitation of NetScaler Devices

In this episode, we dissect CitrixBleed 2—a newly disclosed and actively exploited vulnerability affecting Citrix NetScaler ADC and Gateway appliances. Tracked as CVE-2025-5777 (and possibly also CVE-2025-6543), this critical flaw mirrors the notorious original CitrixBleed by allowing attackers to extract sensitive memory content, including user session tokens, through crafted POST login requests.

Despite Citrix’s claims that there’s no active exploitation, threat intelligence reports from security researchers and government agencies like CISA tell a different story: public proof-of-concept exploits are circulating, and attacks have been observed as early as mid-June. The vulnerability stems from a format string misuse involving the snprintf function, allowing memory leakage in small byte increments—enough for determined attackers to reconstruct sensitive data, hijack authenticated sessions, and potentially access administrative utilities.

We cover everything from the technical mechanics of the vulnerability to the strategic mitigation steps enterprises must take. Affected systems include NetScaler MPX, VPX, SDX, and NetScaler Gateway, making the scope of risk widespread, especially in large-scale remote access and cloud deployments.

In this episode, we unpack:

• How CVE-2025-5777 works, including the format string flaw and session token exposure
• Indicators of active exploitation and CISA’s inclusion of related CVEs in its KEV catalog
• The timeline and evidence suggesting exploitation began weeks before disclosure
• Why slow patch adoption is increasing risk across industries
• A guided breakdown of the NetScaler Secure Deployment Guide, covering:
  • Strong authentication, MFA, and password security
  • Role-based access control (RBAC) and session management
  • Secure traffic segmentation, ACL configuration, and TLS hardening
  • App-layer protections like WAF and rewrite policies for cookie security
  • Logging, SNMP configuration, and remote syslog best practices
  • DNSSEC and cryptographic key management
• How to verify patch status via the NetScaler Console and initiate remediation scans

This episode delivers a clear message: Patch now, monitor aggressively, and revisit your NetScaler hardening strategy. With public exploits in circulation and attackers harvesting session tokens, this vulnerability represents a pressing concern for enterprises relying on Citrix infrastructure.