CitrixBleed 2 Exploit Bypasses MFA, Puts Enterprise Networks at Risk

Cybersecurity researchers have discovered a critical vulnerability in Citrix’s network management devices that allows attackers to bypass multi-factor authentication and hijack user sessions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw (dubbed CitrixBleed 2) to its Known Exploited Vulnerabilities catalog.

How are attackers exploiting CitrixBleed 2 vulnerability?

The security vulnerability (CVE-2025-5777) carries a CVSS score of 9.3. It’s similar to the CVE-2023-4966 flaw (also known as CitrixBleed) that compromised 20,000 Citrix devices two years ago. Both vulnerabilities are found in Citrix’s NetScaler Application Delivery Controller (ADC) and NetScaler Gateway, which are widely used in enterprise environments for load balancing, single sign-on, and remote access. The new CitrixBleed 2 flaw allows attackers to gain unauthorized access to sensitive data (like session tokens) in memory from NetScaler devices configured as a gateway or AAA virtual server.

Citrix disclosed the new CitrixBleed 2 vulnerability and released a security update to patch it on June 17. Shortly after, the company said that it’s unaware of any evidence of exploitation. In July, however, security researcher Kevin Beaumont published two working exploits that could allow hackers to bypass multi-factor authentication (MFA), hijack user sessions, and access critical systems. Earlier this week, the researcher said Greynoise’s honeypot telemetry indicates that CitrixBleed 2 has been under active exploitation since at least June 23.

What administrators should do now?

Security researchers and firms have accused Citrix of withholding Indicators of Compromise (IoCs) that could help customers determine if their systems were under active attack. Instead, customers are required to contact the Citrix support team directly.

“In reality exploitation started soon after the patch release, so providing no technical details didn’t slow exploitation—it gave attackers a head start and left customers with a false sense of security that simply applying patches resolved the problem,” Beaumont wrote in a blog post.

Beaumont mentioned that the exploits allow hackers to send thousands of malformed login requests per day to the /doAuthentication.do endpoint on Citrix NetScaler devices. Over time, attackers can loop these requests to harvest enough memory fragments to reconstruct a valid session token required to gain administrative access.

It’s highly recommended to install the official Citrix patch on all vulnerable NetScaler devices to address the flaw and prevent new cyberattacks. Administrators should also use IoCs to detect vulnerable devices that have been compromised within their organization.