CitrixBleed 2 Flaw Exposes NetScaler ADC and Gateway Sessions
Citrix disclosed CVE-2025-5777 in NetScaler ADC and NetScaler Gateway alongside CVE-2025-5349, warning that affected appliances could be exposed to remote exploitation. Public tracking by ENISA’s EUVD and subsequent reporting identified CVE-2025-5777 as CitrixBleed 2, linking the issue to session exposure risks on internet-facing NetScaler deployments and raising concern for organizations that rely on the products for remote access.
After the advisory, proof-of-concept and scanning tools for CVE-2025-5777 appeared on GitHub, including repositories explicitly branded as CitrixBleed 2 scanners. The rapid publication of exploit-related code lowered the barrier for attackers to identify vulnerable devices, increasing urgency for defenders to patch NetScaler systems, review exposed gateways, and monitor for signs of session theft or unauthorized access.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Additional GitHub repository for CVE-2025-5777 appears
Another GitHub repository dedicated to CVE-2025-5777 was published, indicating continued public sharing of technical material related to the vulnerability. This suggests ongoing community analysis and tooling development around the issue.
PoC scanner for CVE-2025-5777 is released on GitHub
A GitHub repository named 'citrix_bleed_2' was published with a proof-of-concept scanner for CVE-2025-5777. The release of public scanning code lowered the barrier to identifying potentially vulnerable NetScaler systems.
Public reporting highlights 'CitrixBleed 2' exploitation risk
SOCRadar published analysis describing CVE-2025-5777 as 'CitrixBleed 2' and warning that NetScaler Gateway devices were exposed to remote exploitation. This represents a public escalation in awareness around the vulnerability's severity and attack potential.
ENISA EUVD publishes an entry for CVE-2025-5777
ENISA's EU Vulnerability Database added an entry for CVE-2025-5777, reflecting broader public cataloging of the issue after vendor disclosure. The listing indicates the vulnerability had entered formal vulnerability-tracking channels.
Citrix discloses CVE-2025-5777 and CVE-2025-5349 in NetScaler bulletin
Citrix published a security bulletin for NetScaler ADC and NetScaler Gateway covering CVE-2025-5777 and CVE-2025-5349. This marks the public vendor disclosure of the vulnerability and the availability of official remediation guidance.
Sources
4 references tracked. Mallory keeps watching after this page renders.
GitHub - 0xBlackash/CVE-2025-5777: CVE-2025-5777 · GitHub
github.com
Open sourceGitHub - RaR1991/citrix_bleed_2: Citrix Bleed 2 PoC Scanner (CVE-2025-5777) · GitHub
github.com
Open sourceCVE-2025-5777 (CitrixBleed 2) Exposes NetScaler Gateway Devices to Remote Exploitation
socradar.io
Open sourceEUVD-2025-18497 | EUVD
euvd.enisa.europa.eu
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


