New CitrixBleed 2 flaw lets hackers hijack NetScaler sessions. Patch now and terminate all sessions to prevent unauthorized access and data theft

Continue reading
A newly discovered vulnerability in Citrix NetScaler ADC and Gateway, dubbed "CitrixBleed 2," enables unauthenticated attackers to hijack user sessions by exploiting a flaw in out-of-bounds memory read (CVE-2025-5777).
This critical issue enables attackers to access sensitive data—including session tokens and credentials—from memory, potentially bypassing multi-factor authentication and taking over user sessions on public-facing gateways and virtual servers.
The flaw affects NetScaler devices configured as a Gateway (such as VPN virtual servers, ICA Proxy, Clientless VPN, RDP Proxy) or an AAA virtual server, and impacts versions before 14.1-43.56, 13.1-58.32, and certain FIPS/NDcPP releases.
A related high-severity vulnerability (CVE-2025-5349) also affects the NetScaler Management Interface, but requires access to specific management IPs.
Security experts warn that, similar to the original "CitrixBleed" flaw (CVE-2023-4966), attackers can replay stolen session tokens to hijack accounts even after patching—unless all active sessions are terminated after the update.
Mandiant CTO Charles Carmakal emphasized that failure to terminate sessions after patching led to significant breaches, including nation-state espionage and ransomware attacks, during the 2023 incident.
Citrix urges administrators to:
Over 56,500 NetScaler endpoints are currently exposed online, underscoring the urgency for organizations to patch and secure their systems against this new threat.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.