Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
perimeter-device-exposureactively-exploited-vulnerabilityidentity-authentication-vulnerabilityembedded-device-vulnerability

Citrix NetScaler Flaws Enable RCE and Session Token Theft

Updated 2d agoFirst seen May 24, 202617 sources

Multiple severe vulnerabilities in Citrix ADC and NetScaler Gateway exposed organizations to unauthenticated compromise, including remote code execution in CVE-2019-19781 and CVE-2023-3519, as well as memory disclosure in CVE-2023-4966 (CitrixBleed) and the later CVE-2025-5777 variant. Public reporting showed that CVE-2019-19781 could be exploited through crafted HTTP requests that abused directory traversal and template parsing to execute commands on vulnerable appliances, while research on CVE-2023-3519 examined another critical path to code execution on internet-facing Citrix infrastructure.

Share:
Citrix NetScaler Flaws Enable RCE and Session Token Theft
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

14 events from the most recent confirmed update back to the earliest known activity.

14 EVENTS
Mar 30, 20263mo ago

Citrix NetScaler exploitation confirmed in new 2026 reporting

Cybersecurity Dive reported that Citrix NetScaler products were confirmed to be under exploitation. This represents a new public confirmation of active abuse affecting NetScaler systems beyond the previously documented 2025 CitrixBleed 2 reporting.

Citrix NetScaler products confirmed to be under exploitation | Cybersecurity Dive
Jul 10, 20251y ago

Akamai publishes mitigation guidance for CitrixBleed 2 (CVE-2025-5777)

Akamai published mitigation guidance for CVE-2025-5777, referred to as CitrixBleed 2, affecting NetScaler memory disclosure. The publication reflects public technical guidance on defending against the flaw.

Jul 7, 20251y ago

Active exploitation of CitrixBleed 2 reported as patching lags

Reporting indicated that CVE-2025-5777, dubbed CitrixBleed 2, was already being exploited in the wild while many organizations were slow to patch affected NetScaler systems. The development marked an escalation from vulnerability awareness to observed malicious abuse.

CitrixBleed 2 exploits on the loose as orgs slow to patch
Jun 27, 20251y ago

Reports indicate CitrixBleed 2 is under active attack

Computer Weekly reported that CVE-2025-5777, known as CitrixBleed 2, was believed to be under active attack. This marks public reporting that the vulnerability had moved from disclosure concern to suspected in-the-wild exploitation.

Citrix Bleed 2 under active attack, reports suggest | Computer Weekly
Jun 17, 20251y ago

Citrix issues security bulletin for CVE-2025-5349 and CVE-2025-5777

Citrix published a NetScaler ADC and NetScaler Gateway security bulletin covering CVE-2025-5349 and CVE-2025-5777. The advisory marked the vendor's official disclosure and guidance for the vulnerabilities affecting NetScaler products.

NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-5349 and CVE-2025-5777
Dec 1, 20233y ago

HHS warns healthcare sector of CitrixBleed attacks after hospital outages

The U.S. Department of Health and Human Services warned the healthcare sector about CitrixBleed attacks after hospital outages were reported. The alert marked a sector-specific government response highlighting operational impact on healthcare organizations.

HHS warns of ‘Citrix Bleed’ attacks after hospital outages | The Record from Recorded Future News
Nov 21, 20233y ago

CISA warns CitrixBleed is targeted by nation-state and criminal hackers

CISA said the CitrixBleed vulnerability, CVE-2023-4966, was being actively exploited by both nation-state and financially motivated threat actors. The warning marked an official U.S. government alert highlighting the breadth and seriousness of ongoing exploitation.

‘Citrix Bleed’ vulnerability targeted by nation-state and criminal hackers: CISA | The Record from Recorded Future News
Nov 8, 20233y ago

Organizations rush to patch and hunt after CitrixBleed exploitation warnings

Following public reporting on CitrixBleed (CVE-2023-4966), defenders were urged to rapidly patch affected NetScaler systems and investigate for signs of compromise as concern grew over active malicious exploitation. The development marked an operational response phase beyond the initial technical reporting on the flaw.

CitrixBleed sparks race to patch, hunt for malicious activity | Cybersecurity Dive
Nov 1, 20233y ago

CitrixBleed (CVE-2023-4966) threat brief is published

Unit 42 published a threat brief on CVE-2023-4966, commonly known as CitrixBleed, documenting the vulnerability and associated threat activity. This marks public reporting on the issue by early November 2023.

Jul 18, 20233y ago

Citrix patches CVE-2023-3519 and warns of targeted exploitation

Cloud Software Group disclosed and released fixed builds for CVE-2023-3519, a critical unauthenticated remote code execution flaw affecting customer-managed NetScaler ADC and NetScaler Gateway deployments configured as a gateway or AAA virtual server. The company said no workaround was available beyond upgrading and warned the vulnerability was being exploited in targeted attacks.

Critical Security Update for NetScaler
Jul 4, 20233y ago

Assetnote publishes analysis of CVE-2023-3519 in Citrix ADC and NetScaler Gateway

Assetnote published research analyzing CVE-2023-3519 in Citrix ADC and NetScaler Gateway, adding technical detail to understanding of the vulnerability. The reference indicates public disclosure of analysis by July 2023.

Jan 24, 20206y ago

Citrix releases patches for CVE-2019-19781

Citrix released patches for CVE-2019-19781 in late January 2020 after initially providing only mitigation guidance. The fixes addressed the widely exploited remote code execution risk on vulnerable appliances.

Jan 10, 20206y ago

Public exploits and active abuse emerge for CVE-2019-19781

By early 2020, public exploit code for CVE-2019-19781 became available and FireEye reported threat actors were actively exploiting vulnerable Citrix systems to install malware, including NOTROBIN. The exploitation chain involved directory traversal and template parsing to achieve unauthenticated remote code execution.

Dec 17, 20197y ago

Citrix discloses CVE-2019-19781 and recommends mitigations

Citrix disclosed the authentication bypass vulnerability CVE-2019-19781 affecting Citrix ADC, Gateway, NetScaler, and SD-WAN WANOP products. The company initially advised customers to apply mitigations before patches were available.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

9 LINKEDOpen in app
Malware
1 linked
Affected products
2 linked
Netscaler AdcNetscaler Gateway
Organizations
4 linked
Cloud Software GroupCitrix SystemsGoogleUdemy
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.

Citrix NetScaler Flaws Enable RCE and Session Token Theft | Mallory