CitrixBleed 2 Flaw Poses Unacceptable Risk: CISA
securityweek
The US cybersecurity agency CISA is calling urgent attention to a recently disclosed Citrix NetScaler vulnerability that has been compared to the infamous CitrixBleed flaw of 2023.
Tracked as CVE-2025-5777 (CVSS score of 9.3), the security defect was disclosed on June 17, when Citrix rolled out patches for it, warning that it could be exploited to read out-of-bounds memory.
The flaw is referred to as CitrixBleed 2, after security researcher Kevin Beaumont compared it to the widely exploited CVE-2023-4966 (dubbed CitrixBleed).
Affecting all NetScaler ADC and NetScaler Gateway deployments configured as a gateway or AAA virtual server, the security defect can be triggered using incorrect login requests, to which the appliance responds with portions of memory content.
Attackers can send repeated requests to NetScaler’s authentication endpoint to retrieve additional memory contents, cybersecurity firms watchTowr and Horizon3.ai revealed in technical writeups.
The exposed information can include session tokens ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE