CISA, the Cybersecurity and Infrastructure Security Agency, recently released an emergency alert regarding a critical vulnerability known as Citrix Bleed 2. This could be very high risk for organizations that have Citrix NetScaler devices exposed to the Internet. At least CVE-2025-5777 allows hackers to remotely authenticate when gaining access to vulnerable NetScaler appliances. This vulnerability endangers sensitive credentials and poses a threat of unauthorized entry into a company’s internal network, which is extremely alarming.
Independent security researchers Operating System Security have discovered a shocking resemblance between Citrix Bleed 2 and a previous security vulnerability with Citrix NetScaler. This deficiency was identified in the beginning of this year. Citrix NetScaler is an important networking product, widely deployed in large enterprises and government agencies. It enables employees to safely connect to applications and services on their own home networks. Cybercriminals would be able to take advantage of this flaw to obtain illegal access to private data. As a result, this breach can have disastrous repercussions for the breached organizations.
CISA recently verified that there is demonstrable active exploitation of Citrix Bleed 2 in current hacking campaigns. In light of this, the agency included this vulnerability in its catalog of known exploited vulnerabilities as of Thursday. Based on our research, that exploitation of Citrix Bleed 2 is widespread. Some accounts as far back as mid-June report this kind of exploitation. With each new horrifying tragedy, the climate of active shooter incidents is becoming a reality that organizations need to start acting on today.
Citrix is encouraging its customers to act quickly. They need to patch their impacted NetScaler ADC and Gateway devices immediately. The company has released a Citrix security advisory (CTX693420) granting critical importance to the Citrix Bleed 2 vulnerability. Most importantly, it details the steps needed for remediation. If companies don’t prioritize this issue, they potentially leave themselves open to mass cyberattacks. Ransomware threats are now directly attributed to the exploitation of this vulnerability.
