CISA Issues Urgent Patch Directive for CitrixBleed 2 (CVE-2025-5777) Exploited in Active Session Hijacking Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the CitrixBleed 2 vulnerability (CVE-2025-5777) to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply patches within 24 hours due to active exploitation. This vulnerability affects NetScaler ADC and Gateway appliances, allowing attackers to extract session tokens and credentials, leading to session hijacking and potential unauthorized access to internal systems. Technically, CitrixBleed 2 appears to be a variant or successor to the original CitrixBleed vulnerability, which was a buffer overflow issue leading to information disclosure. The new vulnerability is being actively exploited to steal session tokens and credentials, which can be used to hijack sessions and gain unauthorized access to systems protected by NetScaler appliances. The exploitation of this vulnerability poses significant risks, including unauthorized access, data breaches, and potential lateral movement within affected networks. Given the widespread use of NetScaler ADC and Gateway in enterprise and government environments, the impact could be substantial. The urgency of CISA's directive indicates that exploits are already occurring in the wild. Organizations using affected NetScaler appliances should treat this as a critical threat, as session hijacking can lead to severe security incidents, including data exfiltration and further compromise of internal systems. Immediate action is required to mitigate this vulnerability. Organizations should prioritize patching affected systems. Additionally, monitoring for signs of session hijacking, such as unusual login attempts or unexpected session terminations, is crucial. If patching is not immediately feasible, organizations might consider temporarily disabling affected services, though this could impact operations. This incident underscores the importance of timely patching and the risks associated with unpatched systems, even from established vendors like Citrix. In conclusion, the active exploitation of CitrixBleed 2 highlights the critical need for vigilance and prompt action in cybersecurity. Organizations must stay proactive in applying patches and monitoring for signs of exploitation to prevent potential breaches and unauthorized access.