.png)
4 months ago
2
In adding the so-called “Citrix Bleed 2” bug to its Known Exploited Vulnerabilities (KEV) list July 10, the Cybersecurity and Infrastructure Security Agency (CISA) gave federal agencies just 24 hours to patch the critical 9.3 flaw.
According to CISA, the insufficient input validation bug in Citrix NetScaler ADC and Gateway systems — CVE-2025-5777 — poses a “significant, unacceptable risk” to the security of the federal civilian enterprise, and must be patched by end-of-day today.
“As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, CISA is taking urgent action by directing agencies to patch within 24 hours, and we encourage all organizations to patch right away,” said Chris Butera, CISA’s acting executive assistant director for cybersecurity.
Security researchers such as ReliaQuest and Greynoise have previously reported that the Citrix Bleed 2 bug has been exploited, but the last communication from Citrix on the issue was on June 26, when Anil Shetty, senior vice president of engineering at NetScaler, insisted that there’s "no evidence" to suggest that CVE-2025-5777 was exploited.
Several efforts to obtain an updated comment from Citrix were unsuccessful. However, it should be noted that Citrix released a patch for CVE-2025-5777 on June 17.
John Bambenek, president at Bambenek Consulting, said the 24-hour notice is not unheard of, though it was unusual. Bambenek said by adding the Citrix Bleed 2 to the KEV list, it’s likely the agency has seen exploitation across the U.S. government in addition to reports across the industry that commercial targets have been exploited.
Bambenek pointed out that NetScaler has also confirmed reports of exploitation against CVE-2025-6543. Regarding patches, Bambenek said users can ensure protection against both vulnerabilities by installing NetScaler ADC and NetScaler Gateway 14.1-47.46 or later.
“Regardless of the dispute on whether only one or both vulnerabilities are exploited, it’s best to apply an update once and get the protection against both, especially given the potential connection to ransomware actors,” said Bambenek.
Patrick Tiquet, vice president, security and architecture at Keeper Security, said the inclusion of CVE-2025-5777 in the KEV list is a clear signal for organizations to act without delay. Tiquet said when vulnerabilities impact systems that control authentication and access, the risks extend far beyond a single device.
“These types of flaws can be leveraged to gain unauthorized entry, steal session tokens and move deeper into networks, particularly in hybrid environments where boundaries are more fluid,” said Tiquet. “It’s critical that organizations respond proactively, ensuring patches are applied promptly, credentials are secured and access activity is closely monitored.”
