Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
proof-of-concept-releaseperimeter-device-exposurerapid-weaponizationwidely-deployed-product-advisory

CitrixBleed 2 Flaw Exposes NetScaler ADC and Gateway Sessions

Updated 47m agoFirst seen May 25, 20264 sources

Citrix disclosed CVE-2025-5777 in NetScaler ADC and NetScaler Gateway alongside CVE-2025-5349, warning that affected appliances could be exposed to remote exploitation. Public tracking by ENISA’s EUVD and subsequent reporting identified CVE-2025-5777 as CitrixBleed 2, linking the issue to session exposure risks on internet-facing NetScaler deployments and raising concern for organizations that rely on the products for remote access.

After the advisory, proof-of-concept and scanning tools for CVE-2025-5777 appeared on GitHub, including repositories explicitly branded as CitrixBleed 2 scanners. The rapid publication of exploit-related code lowered the barrier for attackers to identify vulnerable devices, increasing urgency for defenders to patch NetScaler systems, review exposed gateways, and monitor for signs of session theft or unauthorized access.

Share:
CitrixBleed 2 Flaw Exposes NetScaler ADC and Gateway Sessions
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

5 events from the most recent confirmed update back to the earliest known activity.

5 EVENTS
Jul 8, 20251y ago

Additional GitHub repository for CVE-2025-5777 appears

Another GitHub repository dedicated to CVE-2025-5777 was published, indicating continued public sharing of technical material related to the vulnerability. This suggests ongoing community analysis and tooling development around the issue.

Jul 6, 20251y ago

PoC scanner for CVE-2025-5777 is released on GitHub

A GitHub repository named 'citrix_bleed_2' was published with a proof-of-concept scanner for CVE-2025-5777. The release of public scanning code lowered the barrier to identifying potentially vulnerable NetScaler systems.

Jun 25, 20251y ago

Public reporting highlights 'CitrixBleed 2' exploitation risk

SOCRadar published analysis describing CVE-2025-5777 as 'CitrixBleed 2' and warning that NetScaler Gateway devices were exposed to remote exploitation. This represents a public escalation in awareness around the vulnerability's severity and attack potential.

Jun 17, 20251y ago

ENISA EUVD publishes an entry for CVE-2025-5777

ENISA's EU Vulnerability Database added an entry for CVE-2025-5777, reflecting broader public cataloging of the issue after vendor disclosure. The listing indicates the vulnerability had entered formal vulnerability-tracking channels.

Citrix discloses CVE-2025-5777 and CVE-2025-5349 in NetScaler bulletin

Citrix published a security bulletin for NetScaler ADC and NetScaler Gateway covering CVE-2025-5777 and CVE-2025-5349. This marks the public vendor disclosure of the vulnerability and the availability of official remediation guidance.

The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.

CitrixBleed 2 Flaw Exposes NetScaler ADC and Gateway Sessions | Mallory