New 'CitrixBleed 2' NetScaler flaw let hackers hijack sessions

A recent vulnerability in Citrix NetScaler ADC and Gateway is dubbed "CitrixBleed 2," after its similarity to an older exploited flaw that allowed unauthenticated attackers to hijack authentication session cookies from vulnerable devices.

Last week, Citrix published a security bulletin warning about flaws tracked as CVE-2025-5777 and CVE-2025-5349 that impact NetScaler ADC and Gateway versions before 14.1-43.56, releases before 13.1-58.32, and also 13.1-37.235-FIPS/NDcPP and 2.1-55.328-FIPS.

The CVE-2025-5777 is a critical flaw that is caused by out-of-bounds memory read, allowing unauthenticated attacks to access portions of memory that they should not have access to.

This flaw impacts NetScaler devices that are configured as a Gateway (VPN virtual server, ICA Proxy, Clientless VPN (CVPN), RDP Proxy) or an AAA virtual server.

Cybersecurity researcher Kevin Beaumont says the flaw echoes the infamous 'CitrixBleed' vulnerability (CVE-2023-4966), which was extensively exploited by threat actors, including ransomware and government attacks.

Beaumont characterized CVE-2025-5777 as 'CitrixBleed 2,' stating that the flaw could allow attackers to potentially access session tokens, credentials, and other sensitive data from public-facing gateways and virtual servers.

Leaked tokens can be replayed to hijack user sessions and bypass multi-factor authentication (MFA).

The same security bulletin lists a second, high-severity flaw tracked as CVE-2025-5349.

This is an improper access control problem in the NetScaler Management Interface, exploitable if the attacker has access to the NSIP (NetScaler Management IP), Cluster Management IP, or Local GSLB Site IP.

To address both risks, users are recommended to install DC and NetScaler Gateway 14.1-43.56, 13.1-58.32 and later, 13.1-NDcPP 13.1-37.235 (FIPS), and 12.1-55.328 (FIPS).

While Citrix has not stated whether these flaws are being actively exploited, they do recommend that admins terminate all active ICA and PCoIP sessions as soon as all appliances have been updated. This advice was also given by Citrix regarding the original CitrixBleed flaws.

Before killing active sessions, admins should first review existing sessions for suspicious activity using the show icaconnection command and  NetScaler Gateway > PCoIP > Connections to see PCoIP sessions.

After reviewing the active sessions, admins should then terminate them using these commands:

kill icaconnection -all kill pcoipconnection -all

The flaws also impact end-of-life ADC / Gateway 12.1 (non-FIPS) and ADC / Gateway 13.0, which will not be receiving patches. Those still using these versions should upgrade to an actively supported release as soon as possible.

Beaumont's internet scans return over 56,500 publicly exposed NetScaler ADC and Gateway endpoints, though what percentage of those are running versions vulnerable to CVE-2025-5349 and CVE-2025-5777 is unknown.