Solace Cyber Urges Immediate Action on New ‘CitrixBleed 2’ Vulnerability Threatening Businesses Worldwide
Solace Cyber is issuing an urgent warning to businesses and IT leaders following the discovery of a critical vulnerability (CVE-2025-5777), dubbed CitrixBleed 2, affecting Citrix NetScaler ADC and Gateway systems.
The flaw is already being actively exploited in the wild, exposing businesses to the risk of session hijacking, credential theft, and ransomware attacks.
“This is a high-risk, low-effort vulnerability that attackers are already using to breach corporate networks,” said Adam Pooley, Head of Forensics at Solace Cyber. “If your business relies on Citrix, patching is not optional, it’s critical.”
About the Vulnerability
CitrixBleed 2 is a memory disclosure flaw that can be triggered by a single malformed HTTP POST request, causing the server to leak sensitive data including active session tokens, admin credentials, and private keys. This means attackers can access systems without needing to log in.
Security analysts have confirmed exploitation dating back to mid-June, and on 10th July, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities list, requiring US federal agencies to patch within just 24 hours.
What’s at Risk?
• No authentication required – Attackers do not need login credentials.
• Live exploitation – Ransomware groups are believed to be actively targeting exposed systems.
• Default configurations are vulnerable – HTTP/2 is enabled by default, widening the attack surface.
Affected Versions
• NetScaler ADC and Gateway 14.1 BEFORE 14.1-43.56
• NetScaler ADC and Gateway 13.1 BEFORE 13.1-58.32
• NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235
• NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328
Recommended Actions
1. Patch immediately – Fixed versions are available from Citrix.
2. Terminate all sessions – Use kill icaconnection -all and kill pcoipConnection -all.
3. Assume compromise – Reset credentials, monitor logs, and deploy EDR solutions.
Solace Cyber: Here to Help
Solace Cyber has previously responded to multiple ransomware incidents related to the original CitrixBleed vulnerability. The Digital Forensics and Incident Response team is on standby to support businesses with urgent patching, breach response, and ongoing monitoring.
“CitrixBleed 2 represents a clear and present danger. If you suspect exposure or need help securing your Citrix infrastructure, don’t wait. Contact our team now.”
Contact:
Solace Cyber DFIR Team
01202 308818
uk.cir@solaceglobal.com
solacecyber.co.uk
This press release was distributed by ResponseSource Press Release Wire on behalf of SOLACE GLOBAL CYBER LTD in the following categories: Business & Finance, Public Sector, Third Sector & Legal, Computing & Telecoms, for more information visit https://pressreleasewire.responsesource.com/about.