Full Report
The U.S. Cybersecurity & Infrastructure Security Agency has confirmed active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway and is giving federal agencies one day to apply fixes. [...]
Analysis Summary
# Vulnerability: Citrix Bleed 2 (Citrix NetScaler ADC and Gateway Vulnerability)
## CVE Details
- CVE ID: Not explicitly provided by CISA or detailed in the text for the primary exploited vulnerability, though two CVEs are referenced in the vendor bulletin: **CVE-2025-6543** and **CVE-2025-5777**. CISA tagged the actively exploited vulnerability as "Citrix Bleed 2."
- CVSS Score: Not provided in the source text.
- CWE: Not provided in the source text.
## Affected Systems
- Products: Citrix NetScaler ADC (Application Delivery Controller) and NetScaler Gateway.
- Versions: Specific vulnerable versions are not listed, but the text implies the vulnerability affects versions prior to the patched releases.
- Configurations: Applies to externally-facing deployments of NetScaler ADC and Gateway.
## Vulnerability Description
The article does not provide granular technical details about the vulnerability itself (CVE-2025-5777/Citrix Bleed 2), only that it is a critical security flaw that has led to active exploitation, prompting CISA to issue an urgent warning. The issue is severe enough that CISA advised agencies to take the product offline if immediate patching is not possible.
## Exploitation
- Status: **Exploited in the wild** (Confirmed by CISA).
- Complexity: Implied to be relatively low given the urgency and high-profile nature of the CISA directive.
- Attack Vector: Likely **Network** (as it pertains to external-facing ADC/Gateway).
## Impact
*Note: Impact levels are inferred based on CISA's critical advisory and historical severity of associated vulnerabilities (like the original Citrix Bleed).*
- Confidentiality: Potentially High (Given historical context of similar vulnerabilities often leading to data leakage/session hijacking).
- Integrity: Potentially High.
- Availability: Potentially High (Due to CISA recommending discontinuation of use if mitigation is delayed).
## Remediation
### Patches
Users must **upgrade** to the following minimum firmware versions:
1. **14.1-43.56+**
2. **13.1-58.32+**
3. **13.1-FIPS/NDcPP 13.1-37.235+**
### Workarounds
1. **Limit external access:** Implement firewall rules or Access Control Lists (ACLs) to restrict external access to NetScaler devices until patching can occur.
2. **Session termination (Post-Patch/Pre-Patch Check):** After updating or as a mitigation step, administrators must:
* Review current ICA and PCoIP sessions for suspicious activity using the command `'show icaconnection'` or via **NetScaler Gateway > PCoIP > Connections**.
* Terminate potentially compromised sessions using the following commands:
* `kill icaconnection -all`
* `kill pcoipconnection -all`
## Detection
- Indicators of Compromise (IOCs): Review of active ICA and PCoIP sessions for suspicious behavior.
- Detection methods and tools: Utilize NetScaler management interface tools:
* Command line: `'show icaconnection'`
* GUI: **NetScaler Gateway > PCoIP > Connections**
## References
- Vendor Advisories: Citrix original security bulletin from June 27 (although this bulletin initially stated no evidence of exploitation for CVE-2025-5777).
- Relevant links:
* CISA Catalog Entry (General reference, exact URL not provided): hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog
* Vendor Bulletin (Defanged): hxxp://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/