Citrix NetScaler Flaws Enable RCE and Session Token Theft
Multiple severe vulnerabilities in Citrix ADC and NetScaler Gateway exposed organizations to unauthenticated compromise, including remote code execution in CVE-2019-19781 and CVE-2023-3519, as well as memory disclosure in CVE-2023-4966 (CitrixBleed) and the later CVE-2025-5777 variant. Public reporting showed that CVE-2019-19781 could be exploited through crafted HTTP requests that abused directory traversal and template parsing to execute commands on vulnerable appliances, while research on CVE-2023-3519 examined another critical path to code execution on internet-facing Citrix infrastructure.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
14 events from the most recent confirmed update back to the earliest known activity.
Citrix NetScaler exploitation confirmed in new 2026 reporting
Cybersecurity Dive reported that Citrix NetScaler products were confirmed to be under exploitation. This represents a new public confirmation of active abuse affecting NetScaler systems beyond the previously documented 2025 CitrixBleed 2 reporting.
Akamai publishes mitigation guidance for CitrixBleed 2 (CVE-2025-5777)
Akamai published mitigation guidance for CVE-2025-5777, referred to as CitrixBleed 2, affecting NetScaler memory disclosure. The publication reflects public technical guidance on defending against the flaw.
Active exploitation of CitrixBleed 2 reported as patching lags
Reporting indicated that CVE-2025-5777, dubbed CitrixBleed 2, was already being exploited in the wild while many organizations were slow to patch affected NetScaler systems. The development marked an escalation from vulnerability awareness to observed malicious abuse.
Reports indicate CitrixBleed 2 is under active attack
Computer Weekly reported that CVE-2025-5777, known as CitrixBleed 2, was believed to be under active attack. This marks public reporting that the vulnerability had moved from disclosure concern to suspected in-the-wild exploitation.
Citrix issues security bulletin for CVE-2025-5349 and CVE-2025-5777
Citrix published a NetScaler ADC and NetScaler Gateway security bulletin covering CVE-2025-5349 and CVE-2025-5777. The advisory marked the vendor's official disclosure and guidance for the vulnerabilities affecting NetScaler products.
HHS warns healthcare sector of CitrixBleed attacks after hospital outages
The U.S. Department of Health and Human Services warned the healthcare sector about CitrixBleed attacks after hospital outages were reported. The alert marked a sector-specific government response highlighting operational impact on healthcare organizations.
CISA warns CitrixBleed is targeted by nation-state and criminal hackers
CISA said the CitrixBleed vulnerability, CVE-2023-4966, was being actively exploited by both nation-state and financially motivated threat actors. The warning marked an official U.S. government alert highlighting the breadth and seriousness of ongoing exploitation.
Organizations rush to patch and hunt after CitrixBleed exploitation warnings
Following public reporting on CitrixBleed (CVE-2023-4966), defenders were urged to rapidly patch affected NetScaler systems and investigate for signs of compromise as concern grew over active malicious exploitation. The development marked an operational response phase beyond the initial technical reporting on the flaw.
CitrixBleed (CVE-2023-4966) threat brief is published
Unit 42 published a threat brief on CVE-2023-4966, commonly known as CitrixBleed, documenting the vulnerability and associated threat activity. This marks public reporting on the issue by early November 2023.
Citrix patches CVE-2023-3519 and warns of targeted exploitation
Cloud Software Group disclosed and released fixed builds for CVE-2023-3519, a critical unauthenticated remote code execution flaw affecting customer-managed NetScaler ADC and NetScaler Gateway deployments configured as a gateway or AAA virtual server. The company said no workaround was available beyond upgrading and warned the vulnerability was being exploited in targeted attacks.
Assetnote publishes analysis of CVE-2023-3519 in Citrix ADC and NetScaler Gateway
Assetnote published research analyzing CVE-2023-3519 in Citrix ADC and NetScaler Gateway, adding technical detail to understanding of the vulnerability. The reference indicates public disclosure of analysis by July 2023.
Citrix releases patches for CVE-2019-19781
Citrix released patches for CVE-2019-19781 in late January 2020 after initially providing only mitigation guidance. The fixes addressed the widely exploited remote code execution risk on vulnerable appliances.
Public exploits and active abuse emerge for CVE-2019-19781
By early 2020, public exploit code for CVE-2019-19781 became available and FireEye reported threat actors were actively exploiting vulnerable Citrix systems to install malware, including NOTROBIN. The exploitation chain involved directory traversal and template parsing to achieve unauthenticated remote code execution.
Citrix discloses CVE-2019-19781 and recommends mitigations
Citrix disclosed the authentication bypass vulnerability CVE-2019-19781 affecting Citrix ADC, Gateway, NetScaler, and SD-WAN WANOP products. The company initially advised customers to apply mitigations before patches were available.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
17 references tracked. Mallory keeps watching after this page renders.
Citrix NetScaler products confirmed to be under exploitation | Cybersecurity Dive
cybersecuritydive.com
Open sourceTrustedSec | NetScaler Remote Code Execution Forensics
trustedsec.com
Open sourceMitigating CitrixBleed 2 (CVE‑2025‑5777) NetScaler Memory Disclosure with App & API Protector | Akamai
akamai.com
Open sourceCitrixBleed 2 exploits on the loose as orgs slow to patch
theregister.com
Open sourceCVE-2019-19781: Citrix ADC RCE vulnerability - Hacking Tutorials
hackingtutorials.org
Open sourceRough Patch: I Promise It'll Be 200 OK (Citrix ADC CVE-2019-19781) | FireEye Inc
fireeye.com
Open sourceCitrix ADC Exploits are Public and Heavily Used. Attempts to Install Backdoor
isc.sans.edu
Open sourceCVE-2019-19781: Unauthenticated Remote Code Execution Vulnerability in Citrix ADCs and Gateways - Blog | Tenable®
fr.tenable.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


