A new vulnerability in Citrix NetScaler – designated CVE-2025-5777 and unofficially named ‘Citrix Bleed 2’ – puts administrators in an uncomfortable position. Although Citrix has reassured that the bug is not being actively exploited, the publication of a proof-of-concept and analysis of logs suggest the opposite.
The vulnerability allows the device’s memory to be read via simple POST requests. In practice, this means that a minor data leak – 127 bytes – can be obtained with each attempt, but through repeated requests it is possible to recover valuable information, including login data or session tokens. This is exactly the category of error that, in the wrong hands, escalates into serious security incidents.
While Citrix has asserted that there is no evidence of active exploitation of the vulnerability, security researchers point out that it can be found in device logs. And history – and the earlier Citrix Bleed vulnerability from 2023 – shows that delaying a response can come at a high price. The previous bug was also initially trivialised, and ended in massive ransomware attacks and data leaks from companies that failed to implement patches in time.
Citrix has already released updates patching CVE-2025-5777 and recommends not only installing them immediately, but also manually terminating active sessions that could be intercepted. This is a precautionary measure that can minimise the impact of a possible leak.
The incident raises questions about the level of confidence in manufacturers’ claims and shows once again that ‘no evidence’ is not the same as ‘no attacks’. For security teams, it sends the message that every vulnerability – even officially ‘inactive exploits’ – should be prioritised.
Conclusions? Responding based on PR is the wrong security strategy. Citrix Bleed 2 may not be a repeat of 2023, but only if administrators respond quickly and not just when the first victim appears.
