A new Citrix vulnerability CVE-2025-5777 has officially made it to CISA’s Known Exploited Vulnerabilities (KEV) Catalog. That means it’s not just a theoretical bug anymore, hackers are already using it to break into real-world systems, and the threat is very much active right now.
The flaw affects NetScaler ADC and Gateway appliances, especially when they’re set up as VPNs, ICA proxies, or AAA virtual servers. These configurations are incredibly common in enterprise networks, which is what makes this issue so dangerous. The vulnerability allows attackers to read parts of memory they shouldn’t have access to, and while each piece is small, it’s enough to eventually steal login tokens, credentials, and other sensitive information.
The bug is being compared to 2023’s CitrixBleed attack, and many experts are already calling this new one CitrixBleed 2. Just like the original, it’s based on memory leakage, a method that’s subtle, hard to detect, and very effective if left unpatched.
Citrix did release a patch for this back on June 17, 2025, but not everyone has applied it yet. Unfortunately, it looks like attackers have been exploiting the flaw since mid-June, before the patch was widely installed, which leaves a dangerous gap for anyone still running outdated software.
Multiple cybersecurity firms, including ReliaQuest, watchTowr Labs, and Horizon3.ai, have confirmed that real-world attacks using this vulnerability are already underway. That’s not speculation, it’s happening now. Hackers are actively targeting organizations, using this exploit to hijack user sessions and dig deeper into internal systems.
What’s strange is that even though the flaw was already being used by attackers, Citrix said on June 26 that they hadn’t seen any signs of exploitation. But now, several sources show the opposite, the exploit was already live in the wild. Whether Citrix was unaware or just playing it safe in their messaging, the delay in acknowledging the threat may have cost some organizations precious time.
This vulnerability matters because Citrix appliances often serve as the main door into corporate networks. Once that door is cracked open, attackers can move to cloud platforms, internal dashboards, and anything else connected, especially in environments where network segmentation isn’t strict.
Because of the severity, CISA has ordered all federal agencies to apply the fix by July 11, 2025. While that only officially applies to federal systems, the warning extends to every organization using Citrix NetScaler. If you haven’t patched yet, now is the time.
But patching isn’t enough. Security teams should also check their NetScaler logs, especially for suspicious activity at the login endpoint /p/u/doAuthentication.do. Look for any unusual entries or XML responses with leaked data. Also, after applying the patch, it’s important to terminate all active sessions to prevent attackers from reusing stolen tokens.
Some of the IPs linked to early attacks have been tied to known ransomware operators, including groups like RansomHub. That’s a red flag that this flaw might not just be used for espionage, it could easily turn into ransomware infections or extortion campaigns in the coming weeks.
At this point, there’s no doubt: CVE-2025-5777 is being used, and it’s serious. Every hour you delay patching increases the risk of compromise. If your business uses Citrix NetScaler in any form, this is not something to push off for later.
We’ve seen this pattern before, new vulnerability, slow patching, and then full-blown exploitation. Let’s not repeat that. Update your systems, investigate for signs of compromise, and stay ahead while you still can.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
