MFA? Irrelevant. CitrixBleed 2 Lets Hackers Take Over Without Logging In

Citrix has disclosed two high-impact vulnerabilities—CVE-2025-5777 (dubbed CitrixBleed 2) and CVE-2025-5349—affecting NetScaler ADC and Gateway appliances. These flaws, particularly CitrixBleed 2, enable unauthenticated attackers to extract sensitive session data directly from memory, potentially allowing for complete session hijacking, MFA bypass, and unauthorized access to enterprise networks.

Understanding the Vulnerabilities

CVE-2025-5777 – “CitrixBleed 2”

• Vulnerability Type: Out-of-bounds memory read
• Attack Surface: Publicly exposed NetScaler ADC/Gateway instances configured as:
  • VPN virtual servers
  • ICA proxy
  • Clientless VPN (CVPN)
  • RDP proxy
  • AAA authentication endpoints
• Impact: Allows attackers to access memory regions containing:
  • Session tokens
  • Credentials
  • Authentication secrets

This vulnerability mirrors CVE-2023-4966, a flaw heavily exploited in 2023 by both state-sponsored and ransomware threat actors.

CVE-2025-5349 – Improper Access Control

• Scope: Affects the NetScaler management interface
• Requirements: The attacker must have access to NSIP, Cluster IP, or Local GSLB IP
• Impact: Unauthorized actions within the management interface, potential configuration tampering or lateral movement.

Exploitation Mechanics: How It Works

Token Leakage & Session Hijacking

CVE-2025-5777 allows attackers to send specially crafted requests to vulnerable endpoints. These requests read memory segments where active authentication session tokens are temporarily stored.

Example Attack Chain:

1. Attacker scans the internet for vulnerable NetScaler Gateway endpoints.
2. Sends an unauthenticated payload exploiting the memory-read vulnerability.
3. Extracts session tokens, including MFA-authenticated cookies.
4. Replays stolen tokens via browser or HTTP client, gaining access to internal portals as a legitimate user.
5. Moves laterally across internal systems or escalates privileges depending on session role.

MFA is ineffective in this scenario because the session is already validated and authenticated when the token is stolen.

Improper Access Control Scenario (CVE-2025-5349)

Example Exploitation:

• A misconfigured firewall allows an attacker to reach the NSIP (management IP).
• The attacker uses crafted API requests to exploit access control flaws.
• Gains unauthorized access to modify configurations or extract credentials stored in management dashboards.

Risk to Organizations

• Over 56,000 NetScaler devices are exposed to the internet (per Kevin Beaumont).
• Government, finance, and healthcare sectors frequently rely on NetScaler for secure remote access.
• Attackers can gain access to:
  • Internal corporate dashboards
  • Virtual desktops via ICA
  • Enterprise file shares
  • Administrative interfaces

Historical Precedent: The original CitrixBleed (CVE-2023-4966) led to:

• Ransomware deployments
• Credential theft and espionage campaigns
• Supply chain breaches due to reused tokens

Mitigation Strategy

1. Patch Immediately

Deploy the following fixed builds:

• 14.1-43.56
• 13.1-58.32
• 13.1-37.235 (NDcPP/FIPS)
• 12.1-55.328 (FIPS only)

Note: Versions 12.1 (non-FIPS) and 13.0 are end-of-life and will not receive patches. Organizations still on these should migrate immediately.

Invalidate Active Sessions Post-Patch

Failure to invalidate sessions leaves organizations exposed even after patching, as attackers can continue using stolen tokens.

2.Run the following commands after upgrading:

bashCopyEditshow icaconnection
show pcoipconnection

kill icaconnection -all
kill pcoipconnection -all

These ensure all ICA and PCoIP sessions are terminated, eliminating any session tokens that may have been compromised.

3. Audit and Monitor

Implement:

• Log analysis of NetScaler Gateway access patterns
• Alerts for session token reuse
• Endpoint detection for lateral movement from compromised sessions
• Restrict management interface (NSIP) access to known IPs only

Strategic Considerations for Blue Teams

• Asset Inventory: Identify all NetScaler appliances, especially internet-facing ones.
• Zero Trust Design: Isolate VPN-accessed resources behind separate authentication layers.
• Session Expiry Hygiene: Enforce stricter idle and lifetime timeouts for high-privilege sessions.
• Tabletop Exercises: Simulate session hijacking scenarios to assess SOC response.

CitrixBleed 2 serves as another urgent reminder that modern attackers exploit not just bugs, but the lag in operational response. Even after applying a patch, the window remains open if token invalidation is skipped.

In memory-leaking vulnerabilities, patch + session reset = full remediation. Anything less is partial security.