CitrixBleed 2: Session Hijacking Returns

CVE-2025-5777 echoes the devastating CitrixBleed from 2023. Same product, same attack class, same devastating impact on NetScaler ADC and Gateway appliances.

Dédalo Team Security
· 4 min read
#security#vulnerability#citrix#cve

June 2025 delivered one of the year’s most severe vulnerabilities: CVE-2025-5777, quickly named CitrixBleed 2 by the security community. The name isn’t creative—it’s accurate. This vulnerability echoes the devastating CitrixBleed (CVE-2023-4966) from two years prior.

Same product. Same attack class. Same devastating impact.

How CitrixBleed 2 Works

CVE-2025-5777 affects Citrix NetScaler ADC and Gateway appliances. It’s a memory over-read vulnerability that allows unauthenticated attackers to extract sensitive information from the appliance’s memory—specifically, session tokens.

With a valid session token in hand, an attacker can:

  1. Import the token into their own browser
  2. Resume the victim’s authenticated session
  3. Access whatever the victim had access to
  4. Bypass MFA entirely (the session is already authenticated)

No credentials stolen. No phishing required. Just network access to a vulnerable appliance and patience.

The original CitrixBleed was used extensively by ransomware groups in late 2023 and early 2024. LockBit, Medusa, and others leveraged it for initial access into corporate networks. CitrixBleed 2 provides the same capability to a new generation of attacks.

Multiple Critical Vulnerabilities

CitrixBleed 2 didn’t arrive alone. Recent months have seen multiple critical vulnerabilities in network security products:

Cisco ISE - CVE-2025-20337: Full unauthenticated remote code execution on Identity Services Engine. Security teams observed exploitation delivering custom web shells within days of disclosure.

Fortinet Products: Ongoing exploitation of multiple vulnerabilities across FortiOS, FortiManager, and FortiWeb. Attackers modified firewall configurations, created admin accounts, and established VPN persistence.

Threat actors chain these vulnerabilities together. A typical attack path:

  1. Exploit Citrix Gateway to steal a VPN session
  2. Use that session to access internal resources
  3. Pivot to Cisco ISE for identity infrastructure compromise
  4. Establish persistence through Fortinet firewall modifications

Each vulnerability alone is serious. Combined, they enable complete network takeover.

The Perimeter Paradox

Network security appliances exist to protect organizations. But their position at the network perimeter makes them uniquely valuable targets:

  • They’re internet-facing by design
  • They authenticate users to internal resources
  • They often have broad network visibility
  • They’re trusted by other systems

When these devices are compromised, attackers gain the keys to the kingdom. They can intercept traffic, harvest credentials, and pivot anywhere.

Yet many organizations treat network appliances differently than other infrastructure:

  • Patching requires maintenance windows (delayed for convenience)
  • Testing patches on production appliances is risky
  • Redundancy may not exist (single points of failure)
  • Configuration management is often manual

This creates a gap between the security these devices provide and the security they receive.

Post-Patch Isn’t Post-Compromise

A critical lesson from both CitrixBleed incidents: patching alone isn’t enough.

Session tokens stolen before patching remain valid after patching. If an attacker captured tokens last week and you patched today, those tokens still work. The attacker can still access your network.

After patching CitrixBleed 2:

  1. Terminate all active sessions. Force every user to re-authenticate. Yes, it’s disruptive. The alternative is worse.

  2. Rotate sensitive credentials. Any credentials that passed through the vulnerable appliance should be considered potentially exposed.

  3. Review logs for anomalies. Look for sessions from unexpected geographies, devices, or times. Attackers often test stolen tokens before major operations.

  4. Monitor for persistence mechanisms. Attackers who gained access may have established backdoors elsewhere in the network.

Checklist: Network Appliance Security

  • Inventory all internet-facing network appliances (VPN, gateway, load balancer, WAF)
  • Verify patch status for all appliances—not just Citrix
  • After patching session-related vulnerabilities, terminate all active sessions
  • Implement alerting for session anomalies: new geography, new device, unusual hours
  • Review session timeout policies—shorter is more secure
  • Consider session binding to client characteristics where feasible
  • Establish expedited patching processes for perimeter device critical vulnerabilities
  • Test patches in lab environments but don’t let testing delay critical patches indefinitely

Lessons Learned

The recurrence of CitrixBleed-style vulnerabilities suggests this attack class isn’t going away. Session token theft will remain attractive to attackers as long as:

  • Network appliances hold session state
  • MFA protects authentication but not active sessions
  • Organizations delay patching for operational convenience

Defenders need to assume that perimeter devices will be compromised periodically and plan accordingly. Segmentation, session monitoring, and rapid patching capability matter more than perfect prevention.

The perimeter isn’t a wall. It’s a target.

At Dédalo, we help organizations assess their network perimeter security and implement vulnerability management programs that prioritize critical patches. If your patching process needs improvement, we can help.