CitrixBleed 2: 100 Organizations Hacked, Thousands of Instances Still Vulnerable

At least 100 organizations have been hacked via the exploitation of CitrixBleed 2, a critical NetScaler vulnerability patched in mid-June, and thousands of instances remain vulnerable.

Tracked as CVE-2025–5777 (CVSS score of 9.3), the flaw is described as an insufficient input validation issue that could allow attackers to read out-of-bounds memory.

Security researchers demonstrated that the bug can be exploited to retrieve session tokens from vulnerable NetScaler instances, allowing attackers to hijack sessions and bypass MFA, and CISA added the CVE to the KEV catalog, urging federal agencies to patch it immediately.

In-the-wild exploitation of the security defect, however, began long before PoC code was shared publicly, fresh reports from security researcher Kevin Beaumont and threat intelligence firm GreyNoise reveal.

The security researcher, who warned of the risks associated with CVE-2025–5777 shortly after Citrix released patches on June 17, and who named the bug CitrixBleed 2, says ...