Overview

• The agency added CVE-2025-5777 to its Known Exploited Vulnerabilities catalog after confirming real-world abuse of Citrix NetScaler ADC and Gateway devices.
• Federal entities have 24 hours to install the June 17 Citrix update and terminate active sessions that may already be compromised.
• Citrix issued fixes on June 17 but has declined to address reports of in-the-wild attacks or estimate the number of affected systems.
• Researchers from watchTowr and Horizon3 published proof-of-concept exploits and Akamai noted a sharp increase in scanner traffic targeting CitrixBleed 2 since late June.
• The critical out-of-bounds memory-read flaw allows unauthenticated actors to steal session tokens, bypass MFA and hijack sessions, though the full impact remains unclear.