CitrixBleed 2: Critical NetScaler Vulnerability Enables Session Hijacking and MFA Bypass

A new critical vulnerability in Citrix NetScaler ADC and Gateway systems, dubbed CitrixBleed 2 (CVE-2025-5777), has emerged as a serious threat to remote access infrastructure. This memory exposure flaw allows unauthenticated attackers to extract session tokens directly from device memory — enabling session hijacking and even bypassing multi-factor authentication (MFA). With early evidence of exploitation in the wild and eerie similarities to the original CitrixBleed (CVE-2023-4966), the risk to enterprise environments is substantial.The vulnerability is caused by insufficient input validation, leading to out-of-bounds memory reads when NetScaler is configured as a Gateway or AAA virtual server. Once session tokens are exfiltrated, attackers can impersonate legitimate users and gain persistent access — often without triggering alerts or violating login controls. Cybersecurity researchers, including ReliaQuest, assess with medium confidence that active exploitation is underway.This episode breaks down the mechanics of CitrixBleed 2 and explores how it fits into the broader landscape of session hijacking threats and identity-centric attacks. Topics include:How CVE-2025-5777 enables unauthorized access via session token exposureTechnical comparisons with the original CitrixBleed vulnerabilitySession hijacking techniques at both network and application levels, including TCP desynchronization and token theftThe second NetScaler vulnerability disclosed (CVE-2025-6543) and its denial-of-service impactMitigation steps, including patching to versions 14.1-43.56, 13.1-58.32, or 13.1-37.235Defense-in-depth recommendations, including phishing-resistant MFA, endpoint detection and response (EDR), and token revocation protocolsIncident and vulnerability response strategies aligned with CISA playbooksCitrixBleed 2 is more than a software bug — it’s a gateway for attackers to silently bypass identity safeguards and establish footholds in enterprise networks. Rapid patching is essential, but long-term protection depends on layered controls, resilient MFA design, and disciplined incident response planning.

There are no comments yet.

Please log in to write the first comment.