Full Report
Over 1,200 Citrix NetScaler ADC and NetScaler Gateway appliances exposed online are unpatched against a critical vulnerability believed to be actively exploited, allowing threat actors to bypass authentication by hijacking user sessions. [...]
Analysis Summary
# Vulnerability: Critical Authentication Bypass Flaw in Citrix NetScaler/ADC
## CVE Details
- CVE ID: Not explicitly provided in the text for the main flaw discussed. *Note: CVE-2025-6543 is mentioned for a separate DoS vulnerability.*
- CVSS Score: Not explicitly provided, but described as **critical severity**.
- CWE: Authentication Bypass (Implied)
## Affected Systems
- Products: Citrix NetScaler appliances (Implied to include ADC devices)
- Versions: Not specified, but refers to systems that are **unpatched** against the flaw.
- Configurations: Any unpatched Citrix server installation.
## Vulnerability Description
The primary vulnerability discussed is a critical authentication bypass flaw in Citrix servers, which is sometimes referred to in context alongside "Citrix Bleed 2." This flaw is severe enough that it has reportedly been exploited to bypass Multi-Factor Authentication (MFA) and achieve post-exploitation reconnaissance activities within targeted environments.
## Exploitation
- Status: **Exploited in the wild** (Attacks are active; ReliaQuest has assessed exploitation with medium confidence).
- Complexity: Implied **Low** to **Medium**, given the success in bypassing MFA.
- Attack Vector: **Network** (Initial access exploitation on NetScaler appliances).
## Impact
- Confidentiality: High (Indicated by post-exploitation AD reconnaissance)
- Integrity: High (Indicated by successful session hijacking)
- Availability: Unknown for this specific bypass flaw, but a related DoS flaw (CVE-2025-6543) impacts availability.
## Remediation
### Patches
- Patches are available directly from Citrix. Administrators are advised to deploy the **latest patches** immediately. (Specific patch versions are not listed in the source text).
### Workarounds
- Companies should review their **access controls**.
- Monitor Citrix NetScaler appliances for **suspicious user sessions and activity**.
## Detection
- **Indicators of Compromise (IOCs):**
- Hijacked Citrix web sessions.
- Session reuse across multiple, geographically disparate or suspicious IP addresses.
- Suspicious LDAP queries originating from the NetScaler appliance, suggesting Active Directory reconnaissance.
- **Detection methods and tools:** Active monitoring of user sessions and network traffic logs associated with Citrix NetScaler appliances.
## References
- Vendor Advisories: Citrix official advisories regarding the critical vulnerability.
- Relevant links:
- bleepingcomputer com/news/security/citrix-bleed-2-flaw-now-believed-to-be-exploited-in-attacks/
- dashboard shadowserver org/statistics/combined/time-series/?date_range=other_range&d1=2025-06-17&d2=2025-06-29&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-6543%2B&dataset=unique_ips&limit=100&group_by=tag&stacking=overlap&auto_update=on (For related DoS flaw CVE-2025-6543)