Citrix and cybersecurity researchers warn a critical, zero-day vulnerability affecting multiple versions of Citrix NetScaler products is under active exploitation. Citrix issued a security bulletin about the vulnerability — CVE-2025-7775 — and urged customers on affected versions to install upgrades Tuesday.

The memory-overflow vulnerability, which has an initial CVSS rating of 9.2, can be exploited to achieve remote-code execution or denial of service. Citrix disclosed two additional defects Tuesday, including CVE-2025-7776, another memory-overlow vulnerability affecting Citrix NetScaler ADC and its virtual private network NetScaler Gateway, and CVE-2025-8424, which affects the management interface for the products. 

Citrix products have been widely targeted in previous attack sprees. The vendor has disclosed three actively exploited zero-day vulnerabilities since mid-June, including CVE-2025-6543 and CVE-2025-5777, which threat hunters likened to “CitrixBleed,” or CVE-2023-4966, which affected the same products.

The Cybersecurity and Infrastructure Security Agency added CVE-2025-7775 to its known exploited vulnerabilities catalog Tuesday. The vendor has appeared on the agency’s list of vulnerabilities known to be exploited seven times this year, and a total of 21 times since late 2021.

Ben Harris, CEO at watchTowr said the new Citrix zero-day has already been actively exploited to deploy backdoors, facilitating total compromise. “Patching is critical, but patching alone won’t cut it,” he said in an email. “Unless organizations urgently review for signs of prior compromise and deployed backdoors, attackers will still be inside.”

While the memory-corruption vulnerability defect is severe, its impact differs from the zero-days Citrix disclosed earlier this summer, according to Harris. “Each of these vulnerabilities presents unique risks, but all share the potential for significant exploitation,” he added. 

Citrix said the vulnerability also affects older versions of NetScaler ADC and NetScaler Gateway, including versions 12.1 and 13.0, that are end of life and no longer supported with security updates. The vendor advised customers to upgrade their appliances to a newer, supported version to address the vulnerabilities. 

Scott Caveza, senior staff research engineer at Tenable, said these outdated versions of the affected products are still widely used, calling them “ticking time bombs” due to the heightened attacker interest in Citrix vulnerability exploitation. Nearly 1 in 5 NetScaler assets identified in Tenable’s telemetry data are on supported versions, he said. 

Citrix and researchers haven’t detailed the extent to which the new zero-day has been actively exploited, but researchers are concerned “It’s very likely that ransomware gangs or other advanced persistent threat groups will soon capitalize on this flaw,” Caveza said.

Less than a month after Citrix disclosed CVE-2025-5777, researchers observed more than 11.5 million attack attempts targeting thousands of sites. 

“The reality is, critical software will always attract attackers,” Harris said. 

“Some vulnerabilities are a natural part of life in complex software and are thus forgivable,” he said. “When trivial flaws repeatedly allow total compromise with little defender recourse — this veers quickly into unforgivable territory.”

The post Citrix NetScaler customers hit by third actively exploited zero-day vulnerability since June appeared first on CyberScoop.

Authorities and researchers are intensifying warnings about active exploitation and pervasive scanning of a critical vulnerability affecting multiple versions of Citrix NetScaler products.

There is now widespread agreement among security professionals that the critical vulnerability, CVE-2025-5777, which Citrix disclosed June 17, is serious and harkens back to a 2023 defect in the same products: “CitrixBleed,” or CVE-2023-4966. Naturally, threat hunters are scrambling to assess and stop the strikingly similar challenges summoned by exploits of the newest CVE. 

For some Citrix customers, the warnings are too late. Vulnerability scans confirm active exploits occurred within a week of disclosure, and attackers have been swarming, hunting for exposed instances of the impacted devices since exploit details were publicly released earlier this month. 

“This vulnerability in Citrix NetScaler ADC and Gateway systems, also referred to as CitrixBleed 2, poses a significant, unacceptable risk to the security of the federal civilian enterprise,” Chris Butera, acting executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said in a statement. CISA added the exploit to its known exploited vulnerabilities catalog on July 10.

“As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, CISA is taking urgent action by directing agencies to patch within 24 hours and we encourage all organizations to patch right away,” Butera added. The agency typically requires agencies to resolve “high risk” vulnerabilities within 30 days and “critical risk” vulnerabilities within 15 days.

The pre-authentication remote memory disclosure vulnerability, which has a CVSS score of 9.3, has been increasingly targeted for attacks globally. Imperva researchers on Friday said they’ve observed more than 11.5 million attack attempts targeting thousands of sites since the exploit was disclosed. 

“Attackers appear to be scanning extensively for exposed instances and attempting to exploit the memory-leak vulnerability to harvest sensitive data,” Imperva researchers said in a blog post.

Nearly 2 in 5 attack attempts have targeted sites in the financial services industry and 3 in 5 of those targeted sites are based in the United States, according to Imperva.

GreyNoise scans have observed 22 unique malicious IPs attempting to exploit CVE-2025-5777 thus far. The first malicious IP was observed June 23 and a spike of 11 unique malicious IPs was observed Friday. 

“I haven’t seen any attrition yet. This could be as bad or even worse than CitrixBleed,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop. “The attack is very repeatable and those systems rarely have network monitoring. They also aren’t regularly updated, so patching them may be an issue.”

The number of Citrix customers already impacted remains unknown and victims have yet to come forward. 

“A lot of the attacks seem opportunistic, so there are likely multiple threat actors using the bug,” Childs said.

Citrix maintains there was no evidence of active exploitation when it disclosed the vulnerability. The vendor hasn’t shared much publicly in almost three weeks, other than an update in a June 26 blog post noting that CISA was aware of evidence of active exploitation. The company did not respond to a request for comment.

In the June blog post, Anil Shetty, senior vice president of engineering at NetScaler, disputed comparisons between CVE-2025-5777 and CVE-2023-4966. “While the vulnerabilities share some characteristics, Cloud Software Group has found no evidence to indicate that they are related,” Shetty wrote. Cloud Software Group is the parent company of Citrix.

Researchers are also leveling criticism at Citrix for the relative ease by which an attacker can compromise a vulnerable instance of Citrix NetScaler with just a few requests. 

‘“The term “CitrixBleed’ is used because the memory leak can be triggered repeatedly by sending the same payload, with each attempt leaking a new chunk of stack memory — effectively bleeding sensitive information,” Akamai Security Intelligence Group said in a blog post.

Akamai researchers described the root cause of the vulnerability as “an uninitialized login variable, combined with improper memory handling, lack of input validation and missing error handling in Citrix NetScaler’s authentication logic.”

Zach Edwards, an independent cybersecurity researcher, told CyberScoop that CVE-2025-5777 and CVE-2023-4966 are “extremely similar,” aside from subtle differences in the versions of NetScaler impacted.

“The fact that these pre-authentication vulnerabilities keep coming up, which can facilitate complete compromises, is disappointing to see,” Edwards said. “It’s unclear how these significant vulnerabilities keep making their way through development processes, but Citrix clients, especially in the government and enterprise sectors, should be demanding more and requiring additional public context about the steps Citrix takes to test its software prior to a release.”

The post CitrixBleed 2 beckons sweeping alarm as exploits spread across the globe appeared first on CyberScoop.