Citrix Under Fire After Hackers Exploited ‘CitrixBleed 2’ Weeks Before Public Warning

Security experts slam delayed response as China-based attackers exploited critical NetScaler flaw days before public PoC was released

A critical security flaw in Citrix NetScaler, tracked as CVE-2025-5777 and nicknamed “CitrixBleed 2,” was actively exploited in the wild nearly two weeks before public proof-of-concept (PoC) code surfaced—despite Citrix initially claiming no attacks had occurred.

GreyNoise, a threat intelligence firm, says it saw exploitation attempts as early as June 23, 2025, from IP addresses linked to China. But it wasn’t until July 9—after weeks of private warnings—that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) officially listed the bug as “known exploited,” forcing federal agencies to patch the same day.

Exploitation Started Early—Citrix Didn’t Acknowledge It

GreyNoise detected targeted attacks exploiting CitrixBleed 2 almost two weeks before the public had access to a PoC. That’s not just a timeline issue—it’s a problem of trust and transparency.

The company’s honeypots first caught activity on June 23. GreyNoise even tagged it for public visibility on July 7. But Citrix didn’t confirm any active exploitation, instead quietly updating an old blog post on July 11—only after CISA made the vulnerability public on July 10.

Even when security researcher Kevin Beaumont—who’s been tracking the attacks since June—raised repeated alarms, Citrix kept silent. On July 15, nearly a month after exploitation began, Citrix finally released guidance on analyzing NetScaler logs for compromise indicators.

But the damage had already begun.

What Makes ‘CitrixBleed 2’ So Dangerous?

This isn’t a minor flaw. CVE-2025-5777 carries a critical 9.3 CVSS severity score for a reason.

The vulnerability is a memory overread issue triggered during malformed login POST requests. Specifically, attackers leave out the equal sign in the login= parameter. That tiny omission causes NetScaler appliances to leak 127 bytes of memory.

Repeat the request enough times and you get session tokens, login credentials, and all sorts of sensitive data.

It gets worse. Once a session token is exposed, an attacker can:

• Hijack live Citrix sessions without needing credentials

• Access internal networks, including VPNs and cloud panels

• Disrupt or spy on enterprise operations silently

Researchers at Horizon3 and WatchTowr demonstrated this clearly. And yet, Citrix delayed sharing that knowledge with its users.

Early Exploits, Silent Victims

Kevin Beaumont, who previously helped dissect the first CitrixBleed flaw in 2023, flagged exploitation patterns again in June. He spotted specific POST requests in logs—especially ones with headers—indicating attackers were probing systems for memory leakage.

He also flagged anomalies like:

• User logoffs with garbled usernames (e.g., “#”)

• Memory dumps appearing in log fields

• Reused session tokens from unknown IPs

Beaumont says attackers started testing Citrix devices on June 20, ramping up by June 21. He believes one well-coordinated threat group—possibly state-backed—is behind the early activity.

“They were extremely selective,” he wrote. “They scanned, checked whether it was a real box, and then attacked. None of my honeypots were hit.” That speaks to deliberate targeting, not random scanning.

Security Tools Lagged—Including Citrix’s Own

Perhaps most frustrating for defenders: Citrix’s Web Application Firewall didn’t detect these exploits. That means companies relying on built-in protections were flying blind.

Other vendors picked up the slack. Imperva says it logged over 11.5 million exploit attempts tied to CVE-2025-5777. Roughly 40% targeted financial institutions—banks, fintechs, investment firms.

Here’s what the sector-wise impact looked like, based on Imperva’s telemetry:

Meanwhile, GreyNoise provided the PoC exploit code to BleepingComputer, confirming that it matched the attack pattern seen weeks earlier.

So why the hold-up in response?

Citrix’s Patch Guidance Still Missing Pieces

Citrix eventually published a support blog on July 15, detailing how to review NetScaler logs for signs of compromise. They recommended terminating all ICA and PCoIP sessions.

But again, experts pointed out gaps.

Beaumont warned that hijacked sessions might persist in other connection types like RDP, SSH, and even AAA sessions. He urged admins to manually run the following:

Citrix didn’t mention most of those. They also didn’t share key indicators of compromise (IOCs) that researchers claim were already passed along privately weeks earlier.

That omission hasn’t gone unnoticed.

Patching Is the Only Fix—And Time’s Ticking

There’s no workaround. No quick mitigation. If your NetScaler appliance is vulnerable, patch it immediately.

Citrix has released updates for NetScaler ADC and Gateway. But users on unsupported versions—12.1 and 13.0—are left exposed unless they upgrade entirely.

Security agencies worldwide are pushing companies to act fast. The U.S. government gave federal agencies just one day to deploy the fix after CISA listed the CVE.

For companies already compromised, it might be too late.

But for everyone else, it’s a race against time.