"Citrix Bleed 2": Current attack warnings
The "Citrix Bleed 2" vulnerability in Citrix Netscaler is currently being massively attacked, IT security researchers warn.
(Image: Black_Kira/Shutterstock.com)
Over the past few days, IT security researchers have observed a massive increase in the number of attacks on the vulnerability in Citrix Netscaler known as “Citrix Bleed 2” and two others. In addition, several thousand vulnerable systems are openly available on the Internet.
The Shadowserver Foundation published figures on Blusky on Tuesday, according to which 3312 Netscaler systems are vulnerable to the vulnerability CVE-2025-5777 – which has been nicknamed “Citrix Bleed 2” – and 4142 are vulnerable to CVE-2025-6543. Fortinet also issued an outbreak alert last Thursday stating that the company has seen a sharp increase in attack attempts on the Citrix Bleed 2 vulnerability since the end of July. Globally, Fortinet sensors have seen more than 6000 attacks since then.
As the Fortinet researchers explain, the USA, Australia, Germany, and the United Kingdom in particular are the focus of the attackers. They are targeting high-profile targets from the technology, banking, healthcare, and education sectors. Overall, the attacks focus on three vulnerabilities that are currently attracting attention: firstly, “Citrix Bleed 2,” secondly, the vulnerability CVE-2025-6543, which has been abused since the first reports, a memory overflow that can lead to unwanted control flow and denial of service in Netscaler if it is configured as a VPN server or AAA Virtual Server, and finally, CVE-2025-5349, which hides insufficient access control in the Netscaler Management Interface.
Videos by heise
Dutch cyber security authority warns of attacks
The Dutch cyber security authority NCSC also updated its report on the memory overflow vulnerability CVE-2025-6543 on Monday. According to the report, the authority has observed further advanced attacks on Dutch organizations after the first observed exploit in mid-July. One or more attackers abused the vulnerability to break in and actively deleted their traces to conceal the compromise of the organizations. However, it is unclear whether the perpetrators are still active and which organizations have been compromised. The investigation is still ongoing.
IT managers using Citrix Netscaler should immediately apply the available updates to close the vulnerabilities. Citrix is providing a separate advisory with updates for CVE-2025-6543 and another one for the other two vulnerabilities.
So far, there have only been indications of attacks on the Netscaler vulnerabilities. Now the attacks on the vulnerable systems have actually been observed directly.
(dmk)
