Home 
On July 10, 2025, CISA confirmed active exploitation of a critical vulnerability in Citrix NetScaler ADC and Gateway, identified as CVE-2025-5777. The flaw, dubbed Citrix Bleed 2, allows attackers to bypass authentication in configurations using Gateway or AAA virtual servers. Following confirmation, the vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) catalog, prompting emergency patching directives across federal agencies.
Date of Incident: July 10, 2025
Vulnerability ID: CVE-2025-5777
CVSS Score: 9.3 (Critical)
Alias: Citrix Bleed 2
Explanation
The vulnerability stems from insufficient input validation in the Gateway management interface. Attackers crafted specially formed HTTP requests that bypassed authentication mechanisms, allowing access to internal systems without credentials. The exploitation was limited to internet-exposed NetScaler instances, particularly those with weak interface protections.
Post-authentication bypass, attackers deployed reconnaissance tools to map internal networks and, in some cases, launched ransomware payloads. The vulnerability gave threat actors a direct path into sensitive systems, especially in misconfigured or unpatched environments.
Impact
Unauthorized Access: Attackers gained entry into protected internal infrastructure.
Data Exfiltration: Possibility of sensitive data theft from internal systems.
Network Compromise: Authentication bypass enabled lateral movement inside networks.
Compliance Risk: Federal and regulated environments faced mandated patch timelines.
MITRE ATT&CK Mapping
Tactic: Initial Access (TA0001): T1190 – Exploit Public-Facing Application (via exposed Gateway interface)
Tactic: Privilege Escalation (TA0004): T1078 – Valid Accounts (authentication bypass simulates valid session)
Tactic: Collection (TA0009): T1005 – Data from Local System (retrieved sensitive files post-access)
IOCs
Domains: None publicly disclosed
IP Addresses: 192.0.2.67 (example attacker IP)
File Hashes: None specific
Log Artifacts
Jul 10 2025 14:33:21 [NetScaler] Authentication bypass attempt from 192.0.2.67
Jul 10 2025 14:33:22 [NetScaler] Unauthorized access to /vpn/index.html
Remediation
Vendor Patch Guidance: Apply Citrix’s security updates for all affected NetScaler ADC and Gateway appliances.
Temporary Mitigations: Restrict access to the management interface. Disable unused virtual servers and expose only necessary services.
Known Workarounds: Use Intrusion Prevention System (IPS) signatures to detect and block malicious request patterns.
Threat Hunting Recommendations
Log Correlation: Search for repeated or anomalous HTTP requests to /vpn/ endpoints, particularly unauthorized access attempts.
YARA Rule:
rule Citrix_NetScaler_Auth_Bypass {
meta:
description = "Detects malicious requests for CVE-2025-5777"
author = "FireCompass Threat Research"
strings:
$s1 = "/vpn/index.html" ascii
$s2 = "bypass=1" ascii
condition:
all of them
}
Anomalous Traffic: Monitor for a spike in HTTP request volume targeting NetScaler interfaces or abnormal session behavior.
Takeaway for CISOs
Remote access gateways continue to be one of the most targeted entry points for attackers. CISOs must enforce strict access controls, audit interface exposure, and ensure zero-delay patching of public-facing assets.
How FireCompass Can Help Identify Exposed Gateways
FireCompass CART (Continuous Automated Red Teaming) continuously maps your external attack surface to identify exposed gateways. It tests authentication controls, detects weak configurations, and emulates exploitation paths to prioritize patching before attackers can act.
Start your free trial today: Start Free Trial
