Early Exploitation Evades Detection

Security firm GreyNoise detected targeted exploitation attempts against CVE-2025-5777—dubbed CitrixBleed 2—as early as June 23, 2025, nearly two weeks before proof-of-concept exploits surfaced publicly on July 4. The attacks originated from Chinese IP addresses, targeting a critical 9.3-severity memory overread flaw in Citrix NetScaler appliances. Despite these findings, Citrix initially stated there was "no evidence of attacks" in its advisory.

"GreyNoise has observed active exploitation attempts against CitrixBleed 2. Exploitation began on June 23—nearly two weeks before a public PoC was released," the firm confirmed to BleepingComputer.

Vendor Silence and Delayed Response

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities catalog on July 9 after GreyNoise's verification, mandating federal agencies to patch within 24 hours. Citrix only updated its June 26 advisory on July 11—after CISA's alert—and didn't acknowledge active exploitation until pressured. Security researcher Kevin Beaumont criticized the opacity:

"Citrix failed to share critical indicators of compromise (IoCs) that researchers provided privately. Their Web Application Firewall still doesn’t detect these attacks."

Technical Mechanism and Attack Impact

CitrixBleed 2 stems from insufficient input validation during NetScaler authentication. Attackers send malformed POST requests to /doAuthentication.do, omitting the equals sign in the login= parameter. This forces the appliance to leak 127 bytes of memory per request, exposing session tokens that enable unauthorized resource access.

Horizon3 and WatchTowr researchers demonstrated how repeated exploits harvest credentials, allowing session hijacking. Beaumont identified key IoCs in logs:
- Content-Length: 5 headers in POST requests
- Non-ASCII characters (0x80–0xFF) in usernames
- Unexplained IP changes during active sessions

Incomplete Mitigation Guidance

While Citrix recommends terminating ICA and PCoIP sessions, Beaumont warns this overlooks other hijackable channels. He advises executing these commands to clear all potential compromised sessions:

kill pcoipConnection -all
kill icaconnection -all
kill rdpConnection -all
kill sshConnection -all
kill telnetConnection -all
kill connConnection -all
kill aaa session -all

Administrators must also audit logs for mismatched client/source IPs and unexpected logoffs. Imperva reported 11.5 million exploit attempts, with 40% targeting financial institutions. Beaumont confirmed over 120 organizations compromised since June 20.

The Patching Imperative

Citrix finally released detection guidance on July 15 but maintains no mitigations beyond patching. End-of-life NetScaler versions (12.1, 13.0) require immediate upgrades. With threat actors selectively targeting enterprises—avoiding honeypots—delayed remediation risks massive breaches. This incident underscores critical gaps in vendor transparency and the escalating cost of downplaying zero-day threats.

Source: BleepingComputer (Lawrence Abrams)