CyberSecurityBoard
Sponsor Register Login

Critical Citrix Bleed 2 flaw now likely exploited in attacks

"While no public exploitation of CVE-2025-5777, dubbed "Citrix Bleed 2," has been reported, ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments," warns ReliaQuest. A critical NetScaler ADC and Gateway vulnerability dubbed "Citrix Bleed 2" (CVE-2025-5777) is now likely exploited in attacks, according to cybersecurity firm ReliaQuest, seeing an increase in suspicious sessions on Citrix devices. Citrix Bleed 2, named by cybersecurity researcher Kevin Beaumont due to its similarity to the original Citrix Bleed (CVE-2023-4966), is an out-of-bounds memory read vulnerability that allows unauthenticated attackers to access portions of memory that should typically be inaccessible. Citrix's advisor also confirms this risk, warning users to end all ICA and PCoIP sessions after installing security updates to block access to any hijacked sessions. Before killing active sessions, admins should first review them for suspicious activity using the show icaconnection command and  NetScaler Gateway > PCoIP > Connections. The flaw, tracked as CVE-2025-5777, was addressed by Citrix on June 17, 2025, with no reports of active exploitation. The above is consistent with post-exploitation activity following unauthorized Citrix access, reinforcing the assessment that CVE-2025-5777 is being exploited in the wild. This could allow attackers to steal session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers, enabling them to hijack user sessions and bypass multi-factor authentication (MFA).

This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 27 Jun 2025 14:20:13 +0000


Cyber News related to Critical Citrix Bleed 2 flaw now likely exploited in attacks

US Health Dept urges hospitals to patch critical Citrix Bleed bug - The U.S. Department of Health and Human Services warned hospitals this week to patch the critical 'Citrix Bleed' Netscaler vulnerability actively exploited in attacks. Ransomware gangs are already using Citrix Bleed to breach their targets' networks ...
1 year ago Bleepingcomputer.com CVE-2023-4966 LockBit
CVE-2007-2850 - The Session Reliability Service (XTE) in Citrix MetaFrame Presentation Server 3.0, Presentation Server 4.0, and Access Essentials 1.0 and 1.5, allows remote attackers to bypass network security policies and connect to arbitrary TCP ports via a ...
7 years ago
LockBit ransomware exploits Citrix Bleed in attacks, 10K servers exposed - The Lockbit ransomware attacks use publicly available exploits for the Citrix Bleed vulnerability to breach the systems of large organizations, steal data, and encrypt files. Although Citrix made fixes available for CVE-2023-4966 more than a month ...
1 year ago Bleepingcomputer.com CVE-2023-4966 LockBit
Citrix warns admins to kill NetScaler user sessions to block hackers - Citrix reminded admins today that they must take additional measures after patching their NetScaler appliances against the CVE-2023-4966 'Citrix Bleed' vulnerability to secure vulnerable devices against attacks. Besides applying the necessary ...
1 year ago Bleepingcomputer.com CVE-2023-4966 LockBit
HHS warns of 'Citrix Bleed' attacks after hospital outages - The U.S. Department of Health and Human Services is warning hospitals and healthcare facilities across the country to patch a vulnerability known as "Citrix Bleed" that is being used in attacks by ransomware gangs. For weeks, cybersecurity experts ...
1 year ago Therecord.media CVE-2023-4966 LockBit
Critical Citrix Bleed 2 flaw now likely exploited in attacks - "While no public exploitation of CVE-2025-5777, dubbed "Citrix Bleed 2," has been reported, ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments," warns ...
4 hours ago Bleepingcomputer.com CVE-2025-5777
Citrix Bleed 2 flaw now believed to be exploited in attacks - "While no public exploitation of CVE-2025-5777, dubbed "Citrix Bleed 2," has been reported, ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments," warns ...
4 hours ago Bleepingcomputer.com CVE-2025-5777
Hackers use Citrix Bleed flaw in attacks on govt networks worldwide - Threat actors are leveraging the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, to target government, technical, and legal organizations in the Americas, Europe, Africa, and the Asia-Pacific region. Researchers from Mandiant report that four ...
1 year ago Bleepingcomputer.com CVE-2023-4966 CVE-2023-3966
Citrix Bleed exploit lets hackers hijack NetScaler accounts - A proof-of-concept exploit is released for the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances. ...
1 year ago Bleepingcomputer.com CVE-2023-4966
US Health Dept Urges Hospitals to Patch Critical 'Citrix Bleed' Vulnerability - This week, the US Department of Health and Human Services has warned hospitals of the critical 'Citrix Bleed' Netscaler vulnerability that has been exploited by threat actors in cyberattacks. On Thursday, the department's security team, Health Sector ...
1 year ago Cysecurity.news CVE-2023-4966
Two more Citrix NetScaler bugs exploited in the wild The Register - Two vulnerabilities in NetScaler's ADC and Gateway products have been fixed - but not before criminals found and exploited them, according to the vendor. CVE-2023-6548 could allow remote code execution in the appliances' management interface. It ...
1 year ago Go.theregister.com CVE-2023-6548 CVE-2023-6549
AHA, Federals Urge Healthcare Ogranizations to Minimize Citrix Bleed Vulnerability - The alert from the Department of Health and Human Services Health Sector Cybersecurity Coordination Center on Nov. 30 and the AHA warning on Friday come amid an outbreak of ransomware attacks alleged to involve Citrix Bleed exploitation that has hit ...
1 year ago Cysecurity.news
Critical Apache Log4j2 flaw still threatens global finance - Critical Apache Log4j2 flaw still threatens global finance. CISA adds Apache Flink flaw to its Known Exploited Vulnerabilities catalog. CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. Russia-linked APT28 used post-compromise ...
1 year ago Securityaffairs.com CVE-2022-38028 CVE-2023-49103 CVE-2023-20198 CVE-2023-40044 APT28 Rocke
Critical unauthenticated RCE flaw in OpenSSH server - MUST READ. Critical unauthenticated remote code execution flaw in OpenSSH server. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds Oracle WebLogic Server flaw to its Known Exploited Vulnerabilities ...
11 months ago Securityaffairs.com CVE-2024-29849 CVE-2023-49103 CVE-2023-20198 CVE-2023-38831 Rocke
Juniper Networks fixed a critical authentication bypass flaw in some of its routers - MUST READ. Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. CISA adds Oracle WebLogic Server flaw to its Known Exploited Vulnerabilities catalog. Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 ...
11 months ago Securityaffairs.com CVE-2024-0769 CVE-2022-38028 CVE-2024-0204 CVE-2023-49103 CVE-2023-38831 CVE-2023-40044 APT28 Rocke
Toyota confirms breach after Medusa ransomware threatens to leak data - Toyota Financial Services has confirmed that it detected unauthorized access on some of its systems in Europe and Africa after Medusa ransomware claimed an attack on the company. Toyota Financial Services, a subsidiary of Toyota Motor Corporation, is ...
1 year ago Bleepingcomputer.com LockBit Rhysida Medusa
High-severity flaw affects Cisco Firepower Management Center - CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. CISA adds Cisco ASA and FTD and CrushFTP VFS flaws to its Known Exploited Vulnerabilities catalog. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Hackers ...
1 year ago Securityaffairs.com CVE-2020-3259 CVE-2024-23897 CVE-2024-0204 CVE-2023-20198 CVE-2023-38831 Rocke
High-severity flaw affects Cisco Firepower Management Center - CISA adds GitLab flaw to its Known Exploited Vulnerabilities catalog. CISA adds Cisco ASA and FTD and CrushFTP VFS flaws to its Known Exploited Vulnerabilities catalog. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. Hackers ...
1 year ago Securityaffairs.com CVE-2020-3259 CVE-2024-23897 CVE-2024-0204 CVE-2023-20198 CVE-2023-38831 Rocke
New MOVEit Transfer critical bug is actively exploited - MUST READ. New MOVEit Transfer critical bug is actively exploited. CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog. Critical Fortinet's FortiClient EMS flaw actively exploited in the wild. PoC ...
1 year ago Securityaffairs.com CVE-2020-3259 CVE-2023-22515 CVE-2023-40044 CVE-2023-20109 Rocke
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
#StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability - These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures and indicators of compromise to help organizations protect against ransomware. Historically, LockBit 3.0 affiliates have conducted attacks ...
1 year ago Cisa.gov LockBit
Citrix warns admins to patch NetScaler CVE-2023-4966 bug immediately - Citrix warned admins today to secure all NetScaler ADC and Gateway appliances immediately against ongoing attacks exploiting the CVE-2023-4966 vulnerability. The company patched this critical sensitive information disclosure flaw two weeks ago, ...
1 year ago Bleepingcomputer.com CVE-2023-4966 Rocke
newsletter Round 474 by Pierluigi Paganini - Microsoft Patch Tuesday security updates for May 2024 fixes 2 actively exploited zero-days. Microsoft fixed two zero-day bugs exploited in malware attacks. HTTP/2 CONTINUATION Flood technique can be exploited in DoS attacks. Critical Fortinet's ...
1 year ago Securityaffairs.com CVE-2020-3259 CVE-2023-49103 CVE-2023-22515 APT28 APT29 BianLian
Cactus ransomware exploiting Qlik Sense flaws to breach networks - Cactus ransomware has been exploiting critical vulnerabilities in the Qlik Sense data analytics solution to get initial access on corporate networks. Qlik Sense supports multiple data sources and allows users to create custom data reports or ...
1 year ago Bleepingcomputer.com CVE-2023-41266 CVE-2023-41265 CVE-2023-48365 LockBit Cactus
CISA pushes federal agencies to patch Citrix RCE within a week - Today, CISA ordered U.S. federal agencies to secure their systems against three recently patched Citrix NetScaler and Google Chrome zero-days actively exploited in attacks, pushing for a Citrix RCE bug to be patched within a week. Citrix urged ...
1 year ago Bleepingcomputer.com CVE-2023-6548 CVE-2023-6549 CVE-2024-0519

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)