Splunk Details on How to Detect, Mitigate and Respond to CitrixBleed 2 Attack

GreyNoise telemetry shows scanning began on 1 July, nine days before Citrix published full technical guidance, and Censys counts roughly 70,000 NetScaler instances reachable on the public Internet, a stark reminder of the attack surface at stake. Against this backdrop, Splunk’s Threat Research Team has published an analytic story and accompanying Technical Add-on that parse NetScaler audit logs, enrich them with CIM fields, and surface exploitation attempts in real time. When hits appear, responders must first upgrade the appliance, then purge every live VPN and ICA session with kill vpn -all and kill icaconnection -all before rotating credentials and combing logs for lateral-movement artifacts. CitrixBleed 2 (CVE-2025-5777) erupted in 2025 when researchers uncovered an out-of-bounds read in Citrix NetScaler ADC and Gateway that lets an unauthenticated request siphon memory straight from the appliance. Federal agencies had to patch to 14.1-43.56 or 13.1-58.32 by late July, yet even rapid responders face forensics challenges because leaked memory can reveal administrator tokens for the entire appliance. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The flaw is triggered by a malformed POST sent to /p/u/doAuthentication.do, leaking session cookies, MFA tokens, and even plaintext passwords to anyone who asks—no exploit chain required. Splunk analysts noted a sharp uptick in suspicious 200-byte responses containing binary junk and XML tags that match the leak pattern, often followed within minutes by successful VPN logins from unexpected geolocations. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. This attack flow maps the single-packet trigger to the session hijack sequence, underscoring how little attacker effort is needed once the parser mis-handles the login parameter. Splunk’s detection hinges on spotting that malformed POST as well as any NetScaler response containing non-printable bytes sandwiched between XML tags. By 10 July, CISA elevated the bug to its Known Exploited Vulnerabilities catalog, confirming that opportunistic ransomware crews and state actors had already weaponized it in the wild. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 24 Jul 2025 13:10:12 +0000

Cyber News related to Splunk Details on How to Detect, Mitigate and Respond to CitrixBleed 2 Attack

Splunk RCE Vulnerability Let Attackers Execute Arbitrary Code Via File Upload - Splunk has released patches to address a high-severity Remote Code Execution (RCE) vulnerability affecting Splunk Enterprise and Splunk Cloud Platform. The vulnerability impacts Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8 and ...
8 months ago Cybersecuritynews.com CVE-2025-20229

CVE-2025-20325 - In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119, the software potentially exposes the search head cluster ...
5 months ago

Splunk Patches High-Severity Vulnerabilities in Enterprise Product - Splunk on Monday announced patches for 16 vulnerabilities in Splunk Enterprise and Cloud Platform, including six high-severity bugs. Three of the high-severity issues are remote code execution flaws that require authentication for successful ...
1 year ago Securityweek.com CVE-2024-36985 CVE-2024-36984

CVE-2022-32152 - Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured ...
3 years ago

CVE-2022-32153 - Splunk Enterprise peers in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform versions before 8.2.2203 did not validate the TLS certificates during Splunk-to-Splunk communications by default. Splunk peer communications configured ...
3 years ago

Xfinity Customer Data Compromised in Attack Exploiting CitrixBleed Vulnerability - Comcast's Xfinity is informing customers that their information has been compromised in a cyberattack that involved exploitation of the vulnerability known as CitrixBleed. CitrixBleed, officially tracked as CVE-2023-4966, is a critical vulnerability ...
2 years ago Securityweek.com CVE-2023-4966

"CitrixBleed 2" Vulnerability PoC Released - Warns of Potential Widespread Exploitation - A new critical vulnerability in Citrix NetScaler devices has security experts warning of potential widespread exploitation, drawing alarming parallels to the devastating “CitrixBleed” attacks that plagued organizations in 2023. The ...
5 months ago Cybersecuritynews.com CVE-2025-5777

CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch - The first warning of CitrixBleed 2 being exploited came from ReliaQuest on June 27. On July 7, security researchers at watchTowr and Horizon3 published proof-of-concept exploits (PoCs) for CVE-2025-5777, demonstrating how the flaw can ...
5 months ago Bleepingcomputer.com CVE-2025-5777

CVE-2025-20370 - In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a user who holds a role that contains the high-privilege capability `change_authentication`, ...
2 months ago

CVE-2022-32151 - The httplib and urllib Python libraries that Splunk shipped with Splunk Enterprise did not validate certificates using the certificate authority (CA) certificate stores by default in Splunk Enterprise versions before 9.0 and Splunk Cloud Platform ...
3 years ago

Splunk Details on How to Detect, Mitigate and Respond to CitrixBleed 2 Attack - GreyNoise telemetry shows scanning began on 1 July, nine days before Citrix published full technical guidance, and Censys counts roughly 70,000 NetScaler instances reachable on the public Internet, a stark reminder of the attack surface at stake. ...
4 months ago Cybersecuritynews.com CVE-2025-5777

10 Best Anti-Phishing Tools in 2025 - What is Good?What Could Be Better?Real-time email threat detection and response using AI and machine learning.Limited customer support optionsAutomates incident response to stop phishing attacks quickly.The training module is not entirely ...
4 months ago Cybersecuritynews.com

9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
2 years ago Esecurityplanet.com

CVE-2022-32156 - In Splunk Enterprise and Universal Forwarder versions before 9.0, the Splunk command-line interface (CLI) did not validate TLS certificates while connecting to a remote Splunk platform instance by default. After updating to version 9.0, see Configure ...
3 years ago

From the SIEM to the Lake: Bridging the Gap for Splunk Customers Post-Acquisition - The smoke has cleared on Cisco's largest acquisition ever: that of Splunk for $28 billion in September. This acquisition has added a new layer of uncertainty for users, many of which were already wondering what the future holds for threat detection ...
1 year ago Cyberdefensemagazine.com

CVE-2025-20366 - In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.111, 9.3.2408.119, and 9.2.2406.122, a low-privileged user that does not hold the admin or power Splunk roles could access sensitive search ...
2 months ago

Hackers Launch 11.5 Million Attacks on CitrixBleed 2 - Compromising Over 100 Organizations - Security researcher Kevin Beaumont, who first coined the term “CitrixBleed 2,” reported that attackers have been “carefully selecting victims, profiling NetScaler before attacking to make sure it is a real box”. A massive wave ...
5 months ago Cybersecuritynews.com CVE-2025-5777 Ransomhub

Attack Vector vs Attack Surface: The Subtle Difference - Cybersecurity discussions about "Attack vectors" and "Attack surfaces" sometimes use these two terms interchangeably. This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two ...
2 years ago Trendmicro.com

Cisco Completes $28 Billion Acquisition of Splunk - Cisco on Monday completed its $28 billion acquisition of Splunk. The networking giant paid $157 per share in cash for Splunk, a powerhouse in data analysis, security and observability tools, in a deal first announced in September 2023. Cisco plans to ...
1 year ago Securityweek.com

CVE-2016-4859 - Open redirect vulnerability in Splunk Enterprise 6.4.x prior to 6.4.3, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk ...
8 years ago

CVE-2016-4858 - Cross-site scripting vulnerability in Splunk Enterprise 6.4.x prior to 6.4.2, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk ...
8 years ago

Comcast Xfinity Breached via CitrixBleed; 35M Customers Affected - The now-infamous CitrixBleed vulnerability has claimed possibly its biggest kill yet: 35 million customers of Comcast Xfinity. Since at least August, attackers have been exploiting CVE-2023-4966, a 7.5 high-severity vulnerability affecting Citrix ...
2 years ago Darkreading.com CVE-2023-4966 LockBit