A critical vulnerability allowing hackers to bypass multifactor authentication in network management devices made by Citrix has been actively exploited for more than a month, researchers said. The finding is at odds with advisories from the vendor saying there is no evidence of in-the-wild exploitation.

Tracked as CVE-2025-5777, the vulnerability shares similarities with CVE-2023-4966, a security flaw nicknamed CitrixBleed, which led to the compromise of 20,000 Citrix devices two years ago. The list of Citrix customers hacked in the CitrixBleed exploitation spree included Boeing, Australian shipping company DP World, Commercial Bank of China, and the Allen & Overy law firm. A Comcast network was also breached, allowing threat actors to steal password data and other sensitive information belonging to 36 million Xfinity customers.

Both CVE-2025-5777 and CVE-2023-4966 reside in Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway, which provide load balancing and single sign-on in enterprise networks, respectively. The vulnerability causes vulnerable devices to leak—or "bleed"—small chunks of memory contents after receiving modified requests sent over the Internet.

By repeatedly sending the same requests, hackers can piece together enough data to reconstruct credentials. The original CitrixBleed had a severity rating of 9.8. CitrixBleed 2 has a severity rating of 9.2.

Citrix disclosed the newer vulnerability and released a security patch for it on June 17. In an update published nine days later, Citrix said it was "currently unaware of any evidence of exploitation." The company has provided no updates since then.

Researchers, however, say that they have found evidence that CitrixBleed 2, as the newer vulnerability is being called, has been actively exploited for weeks. Security firm Greynoise said Monday that a search through its honeypot logs found exploitation as early as July 1. On Tuesday, independent researcher Kevin Beaumont said telemetry from those same honeypot logs indicates that CitrixBleed 2 has been exploited since at least June 23, three days before Citrix said it had no evidence of such attacks.

Citrix’s failure to disclose active exploitation is only one of the details researchers say was missing from the advisories. Last week, security firm watchTowr published a post titled "How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777)." It criticized Citrix for withholding indicators that customers could use to determine if their networks were under attack. On Monday, fellow security firm Horizon3.ai said much the same thing. Company researchers wrote:

"Publishing security advisories for such critical issues with such limited information only serves to hurt defenders and threat hunters in the long term. At best, it causes some minor confusion amongst security experts while triaging the issue. At worst, it leaves organizations scrambling and wondering if they’ve fallen victim to the issue, even after patches have been applied since there’s no way to really know what to look for in their environments."

Rather than providing indicators publicly, Citrix has required customers to contact the Citrix support team directly. The company has argued that keeping those details under wraps helps to prevent tipping off would-be attackers. Beaumont said the lack of details has only made exploitation easier.

"In reality exploitation started soon after the patch release, so providing no technical details didn’t slow exploitation—it gave attackers a head start and left customers with a false sense of security that simply applying patches resolved the problem," he wrote Tuesday in a post that provided many of the useful details Citrix has withheld. Among other things, he said, exploits are peppering the doAuthentication.do endpoint—which handles authentication for Netscaler devices—with thousands of login requests per day. Eventually, vulnerable devices will leak enough memory contents for attackers to recover session tokens required for administrative access.

Beaumont continued:

"Had they been given, for example, a clue about looking for a large volume of doAuthentication requests, they could have checked logs and looked at WAF [Web authentication firewall] rules (for example, doAuthentication requests missing the correct headers—despite what the Netscaler blog says, this is possible). This didn’t happen, and now likely a large number of organisations will again be invoking incident response, under two years since CitrixBleed."

All three posts state that merely patching vulnerable devices is only one required step. Customers should also use the provided indicators to identify signs that vulnerable devices have been compromised.

In an email, Citrix declined to say if it's aware of active exploitation. A company representative said that "Citrix is committed to transparency in responsibly sharing information that can help customers identify any anomalies in their NetScaler products as part of their analysis."

Critical CitrixBleed 2 vulnerability has been under active exploit for weeks

A critical vulnerability in Citrix's network management devices, tracked as CVE-2025-5777, has been actively exploited for weeks, contradicting Citrix's advisories that claimed no evidence of in-the-wild exploitation. The vulnerability allows hackers to bypass multifactor authentication by leaking memory contents, affecting major customers like Boeing, DP World, and the Allen & Overy law firm. Researchers found exploitation evidence dating back to June 23, with Citrix withholding technical details to prevent attackers from identifying compromised networks.