Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Citrix Bleed 2 under active attack, reports suggest | Computer Weekly

By Computer Weekly by By Computer Weekly
June 27, 2025
Home Uncategorized
Share on FacebookShare on Twitter


A freshly-discovered vulnerability in the perennially under-fire Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway appliances, that has been compared to 2023’s Citrix Bleed flaw in its severity, now appears to be coming under attack by undisclosed threat actors, security analysts say.

Assigned a critical CVSS score of 9.3, CVE-2025-5777 is, technically speaking, an out-of-bounds read flaw arising from insufficient input validation. Dubbed Citrix Bleed 2 by independent researcher Kevin Beaumont, CVE-2025-5777 is reportedly similar to Citrix Bleed, CVE-2023-4966, in that its ultimate effect is to allow an attacker to hijack authenticated sessions and bypass multifactor authentication (MFA) by stealing valid session tokens from the NetScaler device’s memory.

The original Citrix Bleed vulnerability proved a highly effective tool for cyber criminals and was exploited by some of the most prominent ransomware gangs at the time – including LockBit – so the message to security leaders and defenders upon the discovery of this latest flaw is to waste no time and patch immediately.

However, this guidance may already come too late for some organisations, for according to intelligence shared by the ReliaQuest threat research team, threat actors are already starting to pile on.

“While no public reporting of exploitation for this vulnerability has emerged, ReliaQuest has observed indications of exploitation to gain initial access,” the ReliaQuest team said. “ReliaQuest assesses with medium confidence that attackers are actively exploiting this vulnerability to gain initial access to targeted environments.

“Citrix recommends patching affected systems to the latest versions and terminating active sessions to mitigate session hijacking and further risks of exploitation.”

Most notably, said ReliaQuest, its analysts have gathered evidence of multiple hijacked Citrix web sessions from NetScaler devices in which authentication appears to have been granted without user knowledge – a very clear indication that possible MFA bypass has occurred.

It has also seen evidence of sessions reuse spanning multiple IPs, including combinations of expected and suspicious IPs; Lightweight Directory Access Protocol (LDAP) queries associated with potential recon of Active Directory setups; and multiple instances in which the ‘ADExplorer64.exe’ tool has been seen in user environments both querying domain-level groups and permissions and connecting to multiple domain controllers.

Finally, the ReliaQuest team said, they are also observing a noteworthy number of Citrix sessions coming from datacentre-hosting IP addresses, suggesting the possible use of consumer VPN services.

All of these points – alone or in combination – could indicate that a threat actor is enumerating a potential victim environment, and defenders should be on the lookout for them.

NetScaler ADC and Gateway users should be sure to update to the latest versions per Citrix’s advisory, and having done so it is also highly recommended they run a series of commands to terminate active ICA and PCoIP sessions.

Writing on LinkedIn, Charles Carmakal, chief technology officer at Google Cloud’s Mandiant said this latter point was particularly important for defenders to bear in mind.

He recalled how at the height of the first Citrix Bleed incident, many victims found that despite patching, session secrets had already been stolen and so the attackers were able to retain access despite the appliances being, to all intents and purposes, fixed. This led to a greater number of compromises than might otherwise have occurred.



Source link

By Computer Weekly

By Computer Weekly

Next Post
What Every IT Leader Needs to Know About AI and Solution Delivery: Insights Published By Info-Tech Research Group

What Every IT Leader Needs to Know About AI and Solution Delivery: Insights Published By Info-Tech Research Group

Recommended.

Vmake AI Talking Video Editor: The All-in-One Solution for Talking Videos, Empowering Diverse Creators

Vmake AI Talking Video Editor: The All-in-One Solution for Talking Videos, Empowering Diverse Creators

August 7, 2025
OA500 Ranks Sales Focus Inc. as One of the Best Business Outsourcing Firms in the World for Second Consecutive Year

OA500 Ranks Sales Focus Inc. as One of the Best Business Outsourcing Firms in the World for Second Consecutive Year

April 23, 2025

Trending.

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

October 6, 2025
Cloud Computing on the Rise: Market Projected to Reach .6 Trillion by 2030

Cloud Computing on the Rise: Market Projected to Reach $1.6 Trillion by 2030

August 1, 2025
Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

July 14, 2025
The Ultimate MSP Guide to Structuring and Selling vCISO Services

The Ultimate MSP Guide to Structuring and Selling vCISO Services

February 19, 2025
Translators’ Voices: China shares technological achievements with the world for mutual benefit

Translators’ Voices: China shares technological achievements with the world for mutual benefit

June 3, 2025

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio