CyberSecurityBoard
Sponsor Register Login

"CitrixBleed 2" Vulnerability PoC Released - Warns of Potential Widespread Exploitation

A new critical vulnerability in Citrix NetScaler devices has security experts warning of potential widespread exploitation, drawing alarming parallels to the devastating “CitrixBleed” attacks that plagued organizations in 2023. The vulnerability, tracked as CVE-2025-5777 and dubbed “CitrixBleed 2,” allows attackers to steal sensitive information directly from device memory, potentially bypassing multi-factor authentication and hijacking user sessions. By sending a malformed HTTP request to the Citrix Gateway login endpoint without proper parameter values, attackers can trigger a memory leak that exposes uninitialized variables containing sensitive data from the device’s memory. The vulnerability analysis disclosed by watchTower Labs researchers shows that the memory leak vulnerability affects NetScaler ADC and NetScaler Gateway devices configured as remote access gateways. Despite Citrix’s initial claims of no active exploitation, cybersecurity firm ReliaQuest reported that they have observed “medium confidence” indicators suggesting the vulnerability is already being exploited in targeted attacks. Given the severe impact of the original CitrixBleed attacks, which continued to be exploited for months after patches were available, security experts emphasize that organizations cannot afford to delay patching efforts. “The backend parser ends up handing us back an uninitialized local variable” containing whatever data was previously stored in memory, potentially including session tokens and other sensitive information. Critical flaw in Citrix NetScaler devices echoes infamous 2023 security breach that crippled major organizations worldwide. The original CitrixBleed vulnerability (CVE-2023-4966) was extensively exploited by ransomware groups and nation-state actors, leading to high-profile breaches including attacks on Boeing and Comcast’s Xfinity service that affected 36 million customers. Security researcher Kevin Beaumont, who coined the “CitrixBleed 2” moniker, noted that over 50,000 potentially vulnerable NetScaler instances are exposed to the internet based on Shodan searches. With a critical CVSS severity score of 9.3, the vulnerability stems from insufficient input validation that leads to memory overread when processing authentication requests. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.

This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 05 Jul 2025 13:40:10 +0000


Cyber News related to "CitrixBleed 2" Vulnerability PoC Released - Warns of Potential Widespread Exploitation

CVE-2018-0688 - Open redirect vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions released prior to 2018 March 13, EP-10VA firmware versions released prior to 2017 September 4, ...
6 years ago
CVE-2018-0689 - HTTP header injection vulnerability in SEIKO EPSON printers and scanners (DS-570W firmware versions released prior to 2018 March 13, DS-780N firmware versions released prior to 2018 March 13, EP-10VA firmware versions released prior to 2017 September ...
6 years ago
Ukraine-Russia Cyber Battles Have Real-World Impact - "The evolution of cyberattacks and malware, particularly those that have an intersection with the use of generative AI, have lowered the barrier for entry for threat actors, leading to more threats and a greater volume of attacks," he says. ...
9 months ago Darkreading.com
"CitrixBleed 2" Vulnerability PoC Released - Warns of Potential Widespread Exploitation - A new critical vulnerability in Citrix NetScaler devices has security experts warning of potential widespread exploitation, drawing alarming parallels to the devastating “CitrixBleed” attacks that plagued organizations in 2023. The ...
2 days ago Cybersecuritynews.com CVE-2025-5777
Unix Printing Vulnerabilities Enable Easy DDoS Attacks - "For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target." Akamai found that all it takes for someone to launch an attack is to send a ...
9 months ago Darkreading.com CVE-2024-47176 CVE-2024-47076 CVE-2024-47175 CVE-2024-47177
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
9 months ago Aws.amazon.com
Overtaxed State CISOs Struggle with Budgeting, Staffing - Though the number of scarily understaffed offices has dropped — just two respondents reported having one to five full-time employees, down from six in 2022 — more than half of state CISOs report that their staff lack the competencies necessary to ...
9 months ago Darkreading.com
Experts released PoC exploit code for RCE in Fortinet SIEM - Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw. Crowdfense is offering a larger 30M USD exploit acquisition program. Threat actors actively exploit JetBrains TeamCity flaws to deliver malware. PoC ...
1 year ago Securityaffairs.com CVE-2022-38028 CVE-2024-23897 CVE-2024-0204 CVE-2023-46747 CVE-2023-46748 CVE-2023-20198 CVE-2023-34039 CVE-2023-38035 APT28 Black Basta
Attackers Targeting Recruiters With More_Eggs Backdoor - FIN6 has been known in the past to pose as recruitment officers to target job seekers, but it appears to be "moving from posing as fake recruiters to now masquerading as fake job applicants" in a shift in tactics, Trend Micro researchers ...
9 months ago Darkreading.com FIN6
CVE-2025-27636 - Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to ...
2 weeks ago CVE-2025-29891
Microsoft: Russia's Sandworm APT Exploits Edge Bugs Globally - Microsoft, which tracks the group as "Seashell Blizzard," has identified a subgroup within 74455 focused solely on gaining initial access to high-value organizations across major industries and geographic regions. Sandworm has targeted ...
4 months ago Darkreading.com CVE-2023-48788 CVE-2024-1709
DPRK's APT37 Targets Cambodia in Khmer - The North Korean state-sponsored threat actor known as APT37 has been carefully spreading a novel backdoor, dubbed "VeilShell." Of note is its target: Most North Korean advanced persistent threats (APTs) have a history of targeting ...
9 months ago Darkreading.com APT3 APT37
How This Security Firm's 'Bias' Is Also Its Superpower - "We are helping our clients simplify their strategies and align them to their actual business objectives so that they have a much easier and more efficient approach to developing not just minimum viable security for whatever their product is, ...
4 months ago Darkreading.com Equation
Xfinity Customer Data Compromised in Attack Exploiting CitrixBleed Vulnerability - Comcast's Xfinity is informing customers that their information has been compromised in a cyberattack that involved exploitation of the vulnerability known as CitrixBleed. CitrixBleed, officially tracked as CVE-2023-4966, is a critical vulnerability ...
1 year ago Securityweek.com CVE-2023-4966
Xfinity Customer Data Compromised in Attack Exploiting CitrixBleed Vulnerability - Comcast's Xfinity is informing customers that their information has been compromised in a cyberattack that involved exploitation of the vulnerability known as CitrixBleed. CitrixBleed, officially tracked as CVE-2023-4966, is a critical vulnerability ...
1 year ago Packetstormsecurity.com CVE-2023-4966
CVE-2023-26031 - Relative library resolution in linux container-executor binary in Apache Hadoop 3.3.1-3.3.4 on Linux allows local user to gain root privileges. If the YARN cluster is accepting work from remote (authenticated) users, this MAY permit remote users to ...
55 years ago Tenable.com
Australian Infrastructure Faces 'Acute' Foreign Threats - "Cyber units from at least one nation state routinely try to explore and exploit Australia’s critical infrastructure networks, almost certainly mapping systems so they can lay down malware or maintain access in the future," Burgess said. ...
4 months ago Darkreading.com
CVE-2015-8311 - On 2015-09-14, Marcello Duarte disclosed a vulnerability in FreeSWITCH on the Bugtraq mail list. This was assigned CVE-2015-7392 which reads: Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before ...
55 years ago Tenable.com
Calif. Gov. Vetoes AI Safety Bill Aimed at Big Tech Players - "Moreover, the latest independent academic research concludes, large language models like ChatGPT cannot learn independently or acquire new skills, meaning they pose no existential threat to humanity." The coalition also took issue with the ...
9 months ago Darkreading.com
Dragos Expands ICS Platform with New Acquisition - "We grew pretty fast to become the de facto solution in the electric industry as the OT network visibility and segmentation analysis solution, which is extremely important in the case of compliance for the regulation in this industry," ...
9 months ago Darkreading.com
Open Source AI Models: Big Risks for Malicious Code, Vulns - Companies pursing internal AI development using models from Hugging Face and other open source repositories need to focus on supply chain security and checking for vulnerabilities. While the attacks appeared to be proofs-of-concept, their success in ...
4 months ago Darkreading.com
CVE-2012-45971 - 1) McAfee Email and Web Security and Email Gateway contains a flaw related to the /admin/cgi-bin/localadmin script. The issue is due to the script calling the SCMAdmin::AuthManagement::localLogin() function when $ENV{WS_SOURCE_IP} is 127.0.0.1. ...
55 years ago Tenable.com
New Variant of macOS Threat XCSSET Spotted in the Wild - To avoid downloading Xcode projects infected with XCSSET, Microsoft recommends that developers and users "always inspect and verify any Xcode projects downloaded or cloned from repositories" that potentially will spread the malware. ...
4 months ago Darkreading.com
DrayTek Routers at Risk From 14 New Vulnerabilities - The advice comes amid signs of growing threat actor activity — including by nation-state actors — targeting vulnerabilities in routers and other network devices from DrayTek and a variety of other vendors, including Fortinet, F5, QNAP, Ivanti, ...
9 months ago Darkreading.com CVE-2024-41592 CVE-2024-41585 CVE-2021-20123 CVE-2021-20124
Manufacturers Rank as Ransomware's Biggest Target - When one operation or company in the chain gets attacked, it can lead to a domino effect and "cascading operational disruption and financial and reputational damage." In short — when threat actors target both manufacturing and supply ...
9 months ago Darkreading.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)