"CitrixBleed 2": Citrix Netscaler gaps more serious
Citrix recently warned of gaps in Netscaler ADC and Gateway. They are more serious, "CitrixBleed 2" is doing the rounds.
Emergency in the data center
(Image: vchal/Shutterstock.com)
Last week, Citrix had several vulnerabilities in Netscaler ADC and Gateways. One of them was already considered critical. Now Citrix has updated the vulnerability description, which reminds IT security researchers of the CitrixBleed vulnerability from 2023, which is why the word of “CitrixBleed 2” is now doing the rounds.
CitrixBleed is a vulnerability in Netscaler ADC and Gateway (CVE-2023-4966 / EUVD-2023-54802, CVSS 9.4, risk “critical”) that allows attackers to access and extract valid session tokens remotely and without authentication in RAM. This allows them to bypass the login and access systems – and they did so diligently. The original vulnerability description was: “Sensitive information disclosure in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.”
Citrix adjusts vulnerability description
The vulnerability from last week first had a more general description, which Citrix updated almost unnoticed on Monday of this week. Initially, it was stated that attackers could read memory areas in Netscaler ADC and Gateway outside the intended limits, which is due to insufficient checking of transferred data (CVE-2025-5777 / EUVD-2025-18497, CVSS 9.3, risk “critical”).
(Image:Â Screenshot / dmk)
The CVE entry contains the description change, which now reads in the original: “Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.” – which is very similar to the description of the “CitrixBleed” vulnerability. Citrix servers are usually used in such configurations to enable remote access to company resources.
Videos by heise
IT security researcher Kevin Beaumont stumbled across this and has now reported it. The memory areas that can be read through the gap can contain sensitive information, such as session tokens. In a replay attack, attackers can use them to take over Citrix sessions and bypass multifactor authentication, for example. This was already the case with the CitrixBleed vulnerability abused in the wild in 2023. Beaumont also asked the search engine Shodan for the favicon of Netscaler instances. Most systems are accessible from the network in the USA (13,745), with Germany in second place with, 6810 accessible Netscaler instances. However, the search says nothing about whether the Netscalers are still vulnerable.
IT managers should therefore quickly update their Citrix instances with the available updates. Citrix points out that all active ICA and PCoIP sessions should be hard terminated after the update. This can be done with the commands kill icaconnection -all and kill pcoipConnection -all.
(dmk)
