heise PlusAbo
Anzeige

"CitrixBleed 2": Indications of ongoing attacks on security leak

A Citrix Netscaler vulnerability nicknamed "CitrixBleed 2" is serious. It is now apparently being attacked.

listen Print view
Stylized image with reddish conductor tracks, open lock in the foreground and the words Data Leak, Security, Exploit found

(Image: Black_Kira/Shutterstock.com)

3 min. read
Security
By

A security vulnerability in Citrix Netscaler ADC and Gateway turned out to be serious last week. It was therefore given the title “CitrixBleed 2” by IT security researchers. Other IT researchers have now discovered evidence that points to ongoing attacks on the vulnerability. IT managers should apply the available updates as soon as possible.

The IT researchers at Reliaquest describe in a blog post that they observed evidence of active abuse of the vulnerability on the Internet at the end of last week. However, they are not entirely sure, as they qualify: “We classify with medium certainty that attackers are actively attacking the vulnerability to gain initial access to target environments”. The “CitrixBleed 2” vulnerability involves read access to memory outside of intended memory limits, which can be used to read session tokens and bypass authentication, including multifactor authentication (MFA) (CVE-2025-5777 / EUVD-2025-18497, CVSS 9.3, risk “critical”).

They have observed hijacked Citrix web sessions on Netscaler devices, write the IT security researchers. Authentication was obtained without the knowledge of the users, which indicates that MFA was bypassed. In addition, sessions were reused from multiple IP addresses, including combinations of expected and suspicious IP addresses. There were also LDAP requests that are usually associated with Active Directory reconnaissance activities, i.e., re-access after initial intrusion. Instances of the “ADExplorer64.exe” tool, which was used to set domain groups and access rights to several domain controllers, were also found throughout the environment. In addition, some Citrix sessions originated from data center IP ranges, suggesting the use of end-user VPN services.

Videos by heise

Reliaquest staff recommend that the bug-fixed software versions be installed immediately and access to Netscaler be restricted. In addition, admins should monitor unusual activities that indicate exploit attempts. This includes the reuse of sessions and the web server logs with HTTP requests with unusual character lengths. As an example, the IT researchers refer to the original “CitrixBleed”, in which HTTP GET requests were sent to the API endpoint “/oauth/idp/.well-known/openid-configuration HTTP/1.1”, in which the HOST_Header contained 24,812 characters.

Last week, Citrix updated the vulnerability description of the vulnerability CVE-2025-5777 / EUVD-2025-18497. It now has a similar wording to the original “CitrixBleed” vulnerability CVE-2023-4966 / EUVD-2023-54802, which was massively attacked by cybercriminals in 2023.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten