CVE-2025-5777
published 2025-06-17CVE-2025-5777: Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA…
PriorityP193high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2025-07-11
Exploited in the wild
EPSS
99.90%
100.0th percentile
Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_adm | — | — |
| citrix | citrix_hypervisor | — | — |
| citrix | citrix_virtual_apps_and_desktops | — | — |
| citrix | endpoint_management | — | — |
| citrix | netscaler_adc | — | — |
| citrix | netscaler_application_delivery_controller | >= 12.1 < 12.1-55.328 | 12.1-55.328 |
| citrix | netscaler_application_delivery_controller | >= 13.1 < 13.1-37.235 | 13.1-37.235 |
| citrix | netscaler_application_delivery_controller | >= 13.1 < 13.1-58.32 | 13.1-58.32 |
| citrix | netscaler_application_delivery_controller | >= 14.1 < 14.1-43.56 | 14.1-43.56 |
| citrix | netscaler_gateway | — | — |
| citrix | netscaler_gateway | >= 13.1 < 13.1-58.32 | 13.1-58.32 |
| citrix | netscaler_gateway | >= 14.1 < 14.1-43.56 | 14.1-43.56 |
| citrix | xenserver | — | — |
| netscaler | adc | >= 13.1 < 58.32 | 58.32 |
| netscaler | adc | >= 14.1 < 43.56 | 43.56 |
| netscaler | gateway | >= 13.1 < 58.32 | 58.32 |
| netscaler | gateway | >= 14.1 < 43.56 | 43.56 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP requests to /cgi/GetAuthMethods — attackers are probing this endpoint to fingerprint authentication methods and determine if NetScaler is configured as a SAML IDP prior to exploitation. ↗
- →Detect crafted SAMLRequest payloads sent to /saml/login that omit the AssertionConsumerServiceURL field — this is the exploitation trigger for the memory overread. ↗
- →Inspect HTTP responses for the NSC_TASS cookie containing Base64-encoded data — on a vulnerable device this cookie carries leaked memory contents. ↗
- →Detect requests to /wsfed/passive where the 'wctx' query string parameter is present but has no value and lacks the '=' symbol — this triggers the second memory overread variant. ↗
- →On a patched NetScaler, a request to /saml/login with the malformed SAMLRequest returns the string 'Parsing of presented Assertion failed; Please contact your administrator.' — absence of this response on an unpatched device indicates vulnerability. ↗
- →Hunt for signs of post-exploitation compromise: atypical file creation dates, duplicate file names with different extensions, and absence of PHP files in expected folders. ↗
- →Use the NCSC-released GitHub script to scan NetScaler devices for unusual PHP and XHTML files and other IOCs associated with post-exploitation activity. ↗
- →Monitor for stolen session tokens being used to hijack user sessions and bypass MFA on NetScaler Gateway or AAA virtual servers — a key post-exploitation indicator for CVE-2025-5777. ↗
- ·Exploitation of the /saml/login and /wsfed/passive endpoints (related CVE-2026-3055) additionally requires the appliance to be configured as a SAML Identity Provider (SAML IDP). ↗
- ·After patching, all active sessions must be terminated using the prescribed CLI commands to invalidate any already-stolen session tokens; patching alone does not revoke hijacked sessions. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability
cisa·2025-07-10·CVSS 9.3
CVE-2025-5777 [CRITICAL] CWE-125 Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability
Vulnerability: Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability
Affected: Citrix NetScaler ADC and Gateway
Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420 ; https://nvd.nist.gov/vuln/detail/CVE-2025-5777
Remediation Due Date: 2025-07-11
CISA
Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
cisa·2025-06-30·CVSS 9.2
CVE-2025-6543 [CRITICAL] CWE-119 Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
Vulnerability: Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
Affected: Citrix NetScaler ADC and Gateway
Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788 ; https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-6543
R
Citrix
Citrix Security Bulletin CTX693420
vendor_citrix·CVSS 5.9
CVE-2025-12101 [MEDIUM] Citrix Security Bulletin CTX693420
Citrix Security Bulletin CTX693420
CVE References: CVE-2025-12101, CVE-2025-5349, CVE-2025-5777, CVE-2025-62626, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
GHSA
GHSA-29vj-j5w5-pcph: Insufficient input validation leading to memory overread on the NetScaler Management Interface NetScaler ADC and NetScaler Gateway
ghsa_unreviewed·2025-06-17
CVE-2025-5777 [CRITICAL] CWE-125 GHSA-29vj-j5w5-pcph: Insufficient input validation leading to memory overread on the NetScaler Management Interface NetScaler ADC and NetScaler Gateway
Insufficient input validation leading to memory overread on the NetScaler Management Interface NetScaler ADC and NetScaler Gateway
VulnCheck
Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability
vulncheck·2025·CVSS 9.3
CVE-2025-5777 [CRITICAL] CWE-125 Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability
Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability
Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
Affected: Citrix NetScaler ADC and NetScaler Gateway
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/; https://dashboard.shadowserver.org/statist
VulnCheck
Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
vulncheck·2025·CVSS 9.2
CVE-2025-6543 [CRITICAL] CWE-119 Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
Affected: Citrix NetScaler ADC and NetScaler Gateway
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788; https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/; https://www.cisa.gov/sites/default/fil
Suricata
ET WEB_SPECIFIC_APPS Citrix Netscaler ADC & Gateway Memory Leak CitrixBleed2 (CVE-2025-5777)
suricata·2025-07-07·CVSS 9.3
CVE-2025-5777 [CRITICAL] ET WEB_SPECIFIC_APPS Citrix Netscaler ADC & Gateway Memory Leak CitrixBleed2 (CVE-2025-5777)
ET WEB_SPECIFIC_APPS Citrix Netscaler ADC & Gateway Memory Leak CitrixBleed2 (CVE-2025-5777)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Citrix Netscaler ADC & Gateway Memory Leak CitrixBleed2 (CVE-2025-5777)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/p/u/doAuthentication.do"; fast_pattern; startswith; http.request_body; content:"login"; content:!"|3d|"; within:1; reference:url,labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/; reference:cve,2025-5777; classtype:web-application-attack; sid:2063315; rev:1; metadata:affected_product Citrix, attack_target Server, created_at 2025_07_07, cve CVE_2025_5777, deployment Perimeter, deployment Internal, confidence High, signatur
Exploit-DB
Citrix NetScaler ADC/Gateway 14.1 - Memory Disclosure
exploitdb·2025-08-11·CVSS 9.3
CVE-2025-5777 [CRITICAL] Citrix NetScaler ADC/Gateway 14.1 - Memory Disclosure
Citrix NetScaler ADC/Gateway 14.1 - Memory Disclosure
---
# Exploit Title: Citrix NetScaler ADC/Gateway 14.1 - Memory Disclosure
# Exploit Author: Yesith Alvarez
# Vendor Homepage: hhttps://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
# CVE: CVE-2025-5777
# Link: https://github.com/yealvarez/CVE/blob/main/CVE-2025-5777/exploit.py
import re
import sys
import warnings
import requests
from time import sleep
from requests.packages.urllib3.exceptions import InsecureRequestWarning
def title():
print(r'''
______ _______ ____ ___ ____ ____ ____ _____ _____ _____
/ ___\ \ / / ____| |___ \ / _ \___ \| ___| | ___|___ |___ |___ |
| | \ \ / /| _| _____ __) | | | |__) |___ \ ____|___ \ / / / / / /
| |___ \ V / | |__|_____/ __/| |_| / __/ ___) |_____|__) |/ / / / / /
\___
Nuclei
Citrix NetScaler Memory Disclosure - CitrixBleed 2
nuclei·CVSS 9.3
CVE-2025-5777 [CRITICAL] Citrix NetScaler Memory Disclosure - CitrixBleed 2
Citrix NetScaler Memory Disclosure - CitrixBleed 2
Insufficient input validation leading to memory overread on the NetScaler Management Interface NetScaler ADC and NetScaler Gateway
Template:
id: CVE-2025-5777
info:
name: Citrix NetScaler Memory Disclosure - CitrixBleed 2
author: watchtowr,DhiyaneshDk,darses
severity: critical
description: |
Insufficient input validation leading to memory overread on the NetScaler Management Interface NetScaler ADC and NetScaler Gateway
impact: |
Unauthenticated attackers can trigger memory overread conditions to leak sensitive information from NetScaler memory, potentially exposing session tokens and credentials similar to CitrixBleed.
remediation: |
Apply the security patches as described in Citrix support article CTX693420 and restrict access to the
Hackernews
INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023
blogs_hackernews·2026-06-18
CVE-2023-3519 INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023
Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023.
"The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations," Acronis researcher Darrel Virtusio said . "United States organizations account for more than 65% of listed victims, with legal services, manufacturing, construction, te
Hackernews
⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
blogs_hackernews·2026-04-20
CVE-2026-20184 ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It’s not breaking systems—it’s bending trust.
There’s also a shift in how attacks run. Slower check-ins, multi-stage payloads, andmore code kept in memory. Attackers lean on real tools and normal workflows instead of custom builds. Some cas
Hackernews
Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug
blogs_hackernews·2026-03-28·CVSS 9.4
CVE-2026-3055 [CRITICAL] Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug
A recently disclosed critical security flaw impacting Citrix NetScaler ADC and NetScaler Gateway is witnessing active reconnaissance activity, according to Defused Cyber and watchTowr .
The vulnerability, CVE-2026-3055 (CVSS score: 9.3), refers to a case of insufficient input validation leading to memory overread, which an attacker could exploit to leak potentially sensitive information.
Per Citrix, successful exploitation of the flaw hinges on the appliance being configured as a SAML Identity Provider (SAML IDP).
"We are now observing aut
Hackernews
Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks
blogs_hackernews·2026-03-24·CVSS 9.3
[CRITICAL] Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks
Citrix has released security updates to address two vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical flaw that could be exploited to leak sensitive data from the application.
The vulnerabilities are listed below -
CVE-2026-3055 (CVSS score: 9.3) - Insufficient input validation leading to memory overread
CVE-2026-4368 (CVSS score: 7.7) - Race condition leading to user session mixup
Cybersecurity company Rapid7 said that CVE-2026-3055 refers to an out-of-bounds read that could be exploited by unauthenticated remote
Hackernews
ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
blogs_hackernews·2026-03-19·CVSS 9.8
[CRITICAL] ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: FortiGate RaaS, Citrix Exploits, MCP Abuse, LiveChat Phish & More
ThreatsDay Bulletin is back on The Hacker News, and this week feels off in a familiar way. Nothing loud, nothing breaking everything at once. Just a lot of small things that shouldn’t work anymore but still do.
Some of it looks simple, almost sloppy, until you see how well it lands. Other bits feel a little too practical, like they’re already closer to real-world use than anyone wants to admit. And the background noise is getting louder again, the kind people usually ignore.
A few stories are clever in a bad way. Others are just frustrati
Bleepingcomputer
Wave of Citrix NetScaler scans use thousands of residential proxies
blogs_bleepingcomputer·2026-02-03
Wave of Citrix NetScaler scans use thousands of residential proxies
## Wave of Citrix NetScaler scans use thousands of residential proxies
## Bill Toulas
A coordinated reconnaissance campaign targeting Citrix NetScaler infrastructure over the past week used tens of thousands of residential proxies to discover login panels.
The activity was observed between January 28 and February 2, and it also focused on enumerating versions of the product, indicating an organized discovery effort.
Threat monitoring platform GreyNoise traced the source of the scanning traffic to more than 63,000 distinct IPs that launched 111,834 sessions. According to the researchers, 79% of the traffic was aimed at Citrix Gateway honeypots.
Roughly 64% of the traffic came from residential proxies, with IPs spread across the globe, appearing as legitimate consumer ISP addresses and
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Wiz
Supply Chain Attacks & AI Vulnerabilities: December Cloud Security Update | Wiz
blogs_wiz·2025-12-01·CVSS 10.0
[CRITICAL] Supply Chain Attacks & AI Vulnerabilities: December Cloud Security Update | Wiz
Welcome back! This edition delivers the latest cloud security highlights: key breaches, unique data findings, and must-watch vulnerabilities. Let’s jump in.
🔍 Highlights
Shai-Hulud 2.0: Ongoing Supply Chain Campaign Referencing Shai-Hulud
A new npm supply-chain campaign referencing Shai-Hulud temporarily compromised packages from Zapier, ENS Domains, PostHog, Postman, and others. This wave leveraged temporarily compromised npm maintainer accounts to publish trojanized versions of legitimate packages from major ecosystems. Wiz observed over 25,000 repositories containing secrets across ~350 unique users.
The malicious packages execute code during the preinstall phase, enabling theft of developer and CI/CD secrets and automated propagation to new repositories. Exfiltration is conducted c
Checkpoint
17th November – Threat Intelligence Report
blogs_checkpoint·2025-11-17·CVSS 9.8
CVE-2025-61882 [CRITICAL] 17th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 17th November – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 17th November, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Cl0p’s Oracle E-Business Suite (CVE-2025-61882) zero-day campaign continues to expand. There are new confirmed breaches at The Washington Post, Logitech, Allianz UK, and GlobalLogic, as well as a newly listed but unconfirmed breach involving the British National Health Service (NHS). The group has leaked data sets rangi
Bleepingcomputer
Pennsylvania AG confirms data breach after INC Ransom attack
blogs_bleepingcomputer·2025-11-17·CVSS 9.3
[CRITICAL] Pennsylvania AG confirms data breach after INC Ransom attack
## Pennsylvania AG confirms data breach after INC Ransom attack
## Sergiu Gatlan
The office of Pennsylvania's attorney general has confirmed that the ransomware gang behind an August 2025 cyberattack stole files containing personal and medical information.
This comes after Attorney General Dave Sunday confirmed in early September that the incident was a ransomware attack and his office refused to pay the ransom requested by the cybercriminals after they encrypted compromised systems.
"The OAG later learned that certain files may have been accessed without authorization. The OAG reviewed which data may have been involved and learned that certain personal information was contained in some files," said the Pennsylvania Office of the Attorney General (OAG) in a Friday press release.
"Base
Bleepingcomputer
Hackers exploited Citrix, Cisco ISE flaws in zero-day attacks
blogs_bleepingcomputer·2025-11-12·CVSS 10.0
CVE-2025-5777 [CRITICAL] Hackers exploited Citrix, Cisco ISE flaws in zero-day attacks
## Hackers exploited Citrix, Cisco ISE flaws in zero-day attacks
## Bill Toulas
An advanced threat actor exploited the critical vulnerabilities “Citrix Bleed 2" (CVE-2025-5777) in NetScaler ADC and Gateway, and CVE-2025-20337 affecting Cisco Identity Service Engine (ISE) as zero-days to deploy custom malware.
Amazon’s threat intelligence team, analyzing “ MadPot ” honeypot data, found that hackers leveraged the two security issues before the security issues were disclosed publicly and patches became available.
“Our Amazon MadPot honeypot service detected exploitation attempts for the Citrix Bleed Two vulnerability ( CVE-2025-5777 ) prior to public disclosure, indicating a threat actor had been exploiting the vulnerability as a zero-day,” explains Amazon .
“Through further investigatio
Trendmicro
The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns
blogs_trendmicro·2025-10-22
The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns
Cyber Threats
# The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns
Trend™ Research examines the complex collaborative relationship between China-aligned APT groups via the new “Premier Pass-as-a-Service” model, exemplified by the recent activities of Earth Estries and Earth Naga.
By: Daniel Lunghi, Leon M Chang
2025/10/22
Read time: ( words)
Save to Folio
## Key takeaways
- “Premier Pass-as-a-Service” describes the emerging trend of advanced collaboration tactics between multiple China-aligned APT groups, notably Earth Estries and Earth Naga, that are making modern cyberespionage campaigns even more complex.
- The case study discussed in this blog entry shows the model in action between these two groups, with Earth Estries acting as an access broker to E
Bleepingcomputer
Citrix fixes critical NetScaler RCE flaw exploited in zero-day attacks
blogs_bleepingcomputer·2025-08-26·CVSS 9.2
CVE-2025-7775 [CRITICAL] Citrix fixes critical NetScaler RCE flaw exploited in zero-day attacks
## Citrix fixes critical NetScaler RCE flaw exploited in zero-day attacks
## Lawrence Abrams
Citrix fixed three NetScaler ADC and NetScaler Gateway flaws today, including a critical remote code execution flaw tracked as CVE-2025-7775 that was actively exploited in attacks as a zero-day vulnerability.
The CVE-2025-7775 flaw is a memory overflow bug that can lead to unauthenticated, remote code execution on vulnerable devices.
In an advisory released today, Citrix states that this flaw was observed being exploited in attacks on unpatched devices.
"As of August 26, 2025 Cloud Software Group has reason to believe that exploits of CVE-2025-7775 on unmitigated appliances have been observed, and strongly recommends customers to upgrade their NetScaler firmware to the versions containing the
Tenable
CVE-2025-7775 Citrix RCE Zero-day
blogs_tenable·2025-08-26·CVSS 9.2
[CRITICAL] CVE-2025-7775 Citrix RCE Zero-day
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Pennsylvania attorney general's email, site down after cyberattack
blogs_bleepingcomputer·2025-08-13·CVSS 9.3
[CRITICAL] Pennsylvania attorney general's email, site down after cyberattack
## Pennsylvania attorney general's email, site down after cyberattack
## Sergiu Gatlan
"We are taking steps to determine the cause of the cyber incident, and working to restore services on all avenues. Office of Attorney General staff are continuing to advocate on behalf of the Commonwealth and are working with supervisors to minimize any interruptions."
Pennsylvania's attorney general has yet to attribute the attack to a specific group officially. However, the incident's widespread and crippling impact bears all the signs of a ransomware attack, even though no ransomware operation has claimed responsibility to date.
While incident responders continue to work on restoring impacted systems, the website of Pennsylvania's Attorney General was still offline at the time this article was pub
Bleepingcomputer
Over 3,000 NetScaler devices left unpatched against CitrixBleed 2 bug
blogs_bleepingcomputer·2025-08-12·CVSS 9.3
CVE-2025-5777 [CRITICAL] Over 3,000 NetScaler devices left unpatched against CitrixBleed 2 bug
## Over 3,000 NetScaler devices left unpatched against CitrixBleed 2 bug
## Sergiu Gatlan
Over 3,300 Citrix NetScaler devices remain unpatched against a critical vulnerability that allows attackers to bypass authentication by hijacking user sessions, nearly two months after patches were released.
Tracked as CVE-2025-5777 and referred to as CitrixBleed 2 , this out-of-bounds memory read vulnerability results from insufficient input validation, enabling unauthenticated attackers to access restricted memory regions remotely on devices configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
Successfully exploiting this security flaw could enable threat actors to steal session tokens, credentials, and other sensitive data from public-facing gateways a
Bleepingcomputer
Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs
blogs_bleepingcomputer·2025-08-11·CVSS 9.2
CVE-2025-6543 [CRITICAL] Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs
## Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs
## Bill Toulas
The Netherlands' National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability tracked as CVE-2025-6543 was exploited to breach "critical organizations" in the country.
The critical flaw is a memory overflow bug that allows unintended control flow or a denial of service state on impacted devices.
"Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server," explains Citrix's advisory .
Citrix issued a bulletin about the flaw on June 25, 2025, warning that the following versions were vulnerable to on
Tenable
Cybersecurity Snapshot: AI Security Tools Embraced by Cyber Teams, Survey Finds, as Vulnerability Research Gets a Boost from UK Cyber Agency
blogs_tenable·2025-07-18
Cybersecurity Snapshot: AI Security Tools Embraced by Cyber Teams, Survey Finds, as Vulnerability Research Gets a Boost from UK Cyber Agency
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Citrix Bleed 2 exploited weeks before PoCs as Citrix denied attacks
blogs_bleepingcomputer·2025-07-17·CVSS 9.3
CVE-2025-5777 [CRITICAL] Citrix Bleed 2 exploited weeks before PoCs as Citrix denied attacks
## Citrix Bleed 2 exploited weeks before PoCs as Citrix denied attacks
## Lawrence Abrams
A critical Citrix NetScaler vulnerability, tracked as CVE-2025-5777 and dubbed "CitrixBleed 2," was actively exploited nearly two weeks before proof-of-concept (PoC) exploits were made public , despite Citrix stating that there was no evidence of attacks.
GreyNoise has confirmed its honeypots detected targeted exploitation from IP addresses located in China on June 23, 2025.
"GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept (PoC) was released on July 4," explains GreyNoise .
"We created a tag on July 7 to track this activi
Greynoiseio
Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public
blogs_greynoiseio·2025-07-16·CVSS 9.3
[CRITICAL] Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch
blogs_bleepingcomputer·2025-07-11·CVSS 9.4
CVE-2025-5777 [CRITICAL] CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch
## CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch
## Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency has confirmed active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway and is giving federal agencies one day to apply fixes.
Such a short deadline for installing the patches is unprecedented since CISA released the Known Exploited Vulnerabilities (KEV) catalog, showing the severity of the attacks exploiting the security issue.
The agency added the flaw to its Known Exploited Vulnerabilities (KEV) catalog yesterday, ordering federal agencies to implement mitigations by the end of today, June 11.
CVE-2025-5777 is a critical memory safety vulnerability (out-of-bounds memory read) that gives an una
Bleepingcomputer
Public exploits released for Citrix Bleed 2 NetScaler flaw, patch now
blogs_bleepingcomputer·2025-07-07·CVSS 9.4
CVE-2025-5777 [CRITICAL] Public exploits released for Citrix Bleed 2 NetScaler flaw, patch now
## Public exploits released for Citrix Bleed 2 NetScaler flaw, patch now
## Lawrence Abrams
Researchers have released proof-of-concept (PoC) exploits for a critical Citrix NetScaler vulnerability, tracked as CVE-2025-5777 and dubbed CitrixBleed2, warning that the flaw is easily exploitable and can successfully steal user session tokens.
The CitrixBleed 2 vulnerability, which affects Citrix NetScaler ADC and Gateway devices, allows attackers to retrieve memory contents simply by sending malformed POST requests during login attempts.
This critical flaw is named CitrixBleed2 as it closely resembles the original CitrixBleed (CVE-2023-4966) bug from 2023, which was exploited by ransomware gangs and in attacks on governments to hijack user sessions and breach networks.
In technical analyses
Checkpoint
7th July – Threat Intelligence Report
blogs_checkpoint·2025-07-07
CVE-2025-6463 7th July – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 7th July – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 6th July, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The International Criminal Court (ICC) disclosed a sophisticated cyber‐security incident in late June 2025, its second such event in recent years. The intrusion, which occurred in June 2025, was promptly detected and contained, and the full extent of the impact is under investigation.
Australian airline Qantas suffered a cyber i
Wiz
Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know | Wiz Blog
blogs_wiz·2025-07-06·CVSS 9.4
CVE-2025-5777 [CRITICAL] Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know | Wiz Blog
On June 17th, 2025, two critical vulnerabilities - CVE-2025-5349 and CVE-2025-5777 - were disclosed in Citrix Netscaler ADC and Netscaler Gateway, enabling unauthorized access to sensitive resources and memory overreads in specific configurations. Due to certain similarities between CVE-2025-5777 and CVE-2023-4966 (AKA “CitrixBleed”), in some publications this vulnerability has been nicknamed “CitrixBleed 2”.
On June 25, 2025, a third critical RCE vulnerability - CVE-2025-6543 - was also disclosed. This flaw affects the same products as above, with the vendor noting that it has been exploited in the wild as a 0-day. Customers are strongly advised to update to the latest fixed versions to mitigate these risks.
# What are the vulnerabilities?
### CVE-2025-5777: Memory Overread via Crafted
Wiz
Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know | Wiz Blog
blogs_wiz·2025-07-06·CVSS 9.4
CVE-2025-5349 [CRITICAL] Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know | Wiz Blog
On June 17th, 2025, two critical vulnerabilities - CVE-2025-5349 and CVE-2025-5777 - were disclosed in Citrix Netscaler ADC and Netscaler Gateway, enabling unauthorized access to sensitive resources and memory overreads in specific configurations. Due to certain similarities between CVE-2025-5777 and CVE-2023-4966 (AKA “CitrixBleed”), in some publications this vulnerability has been nicknamed “CitrixBleed 2”.
On June 25, 2025, a third critical RCE vulnerability - CVE-2025-6543 - was also disclosed. This flaw affects the same products as above, with the vendor noting that it has been exploited in the wild as a 0-day. Customers are strongly advised to update to the latest fixed versions to mitigate these risks.
## What are the vulnerabilities?
## CVE-2025-5349: Improper Access Control on
Wiz
Crying Out Cloud Newsletter - July 2025 | Wiz
blogs_wiz·2025-07-01·CVSS 7.2
[HIGH] Crying Out Cloud Newsletter - July 2025 | Wiz
Cloud security is constantly evolving, and the Wiz Research team is dedicated to keeping you informed. The past month has seen significant vulnerabilities discovered, and there have been a few security incidents affecting cloud users.
We've compiled a shortlist of the most relevant developments. Here are our top picks!
## 🔍 Highlights
## Cryptojacking Campaign Targets Misconfigured DevOps Tools
Wiz Threat Research identified a cryptojacking campaign, attributed to the threat actor JINX-0132, actively exploiting misconfigured and publicly exposed DevOps tools—including HashiCorp Nomad, HashiCorp Consul, Docker, and Gitea—to deploy XMRig-based Monero miners.
JINX-0132 targets exposed Nomad servers lacking ACL protections by submitting malicious jobs through the API, effectively gaining
Tenable
CVE-2025-5777, CVE-2025-6543: Frequently Asked Questions About CitrixBleed 2 and Citrix NetScaler Exploitation
blogs_tenable·2025-06-27·CVSS 9.3
[CRITICAL] CVE-2025-5777, CVE-2025-6543: Frequently Asked Questions About CitrixBleed 2 and Citrix NetScaler Exploitation
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Citrix warns of NetScaler vulnerability exploited in DoS attacks
blogs_bleepingcomputer·2025-06-25·CVSS 9.3
CVE-2025-6543 [CRITICAL] Citrix warns of NetScaler vulnerability exploited in DoS attacks
## Citrix warns of NetScaler vulnerability exploited in DoS attacks
## Lawrence Abrams
Citrix is warning that a vulnerability in NetScaler appliances tracked as CVE-2025-6543 is being actively exploited in the wild, causing devices to enter a denial of service condition.
"Exploits of CVE-2025-6543 on unmitigated appliances have been observed," warns Citrix's advisory.
Tracked internally as CTX694788 , CVE-2025-6543 is a critical flaw impacting NetScaler ADC and NetScaler Gateway and can be triggered by unauthenticated, remote requests, leading the appliance to go offline.
The flaw impacts NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-47.46, 13.1 before 13.1-59.19, and NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP.
It only affects NetScaler device
Bleepingcomputer
New 'CitrixBleed 2' NetScaler flaw let hackers hijack sessions
blogs_bleepingcomputer·2025-06-25·CVSS 9.4
CVE-2025-5777 [CRITICAL] New 'CitrixBleed 2' NetScaler flaw let hackers hijack sessions
## New 'CitrixBleed 2' NetScaler flaw let hackers hijack sessions
## Bill Toulas
A recent vulnerability in Citrix NetScaler ADC and Gateway is dubbed "CitrixBleed 2," after its similarity to an older exploited flaw that allowed unauthenticated attackers to hijack authentication session cookies from vulnerable devices.
Last week, Citrix published a security bulletin warning about flaws tracked as CVE-2025-5777 and CVE-2025-5349 that impact NetScaler ADC and Gateway versions before 14.1-43.56, releases before 13.1-58.32, and also 13.1-37.235-FIPS/NDcPP and 2.1-55.328-FIPS.
The CVE-2025-5777 is a critical flaw that is caused by out-of-bounds memory read, allowing unauthenticated attacks to access portions of memory that they should not have access to.
This flaw impacts NetScaler devices
Checkpoint
23rd June – Threat Intelligence Report
blogs_checkpoint·2025-06-23
CVE-2025-23121 23rd June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd June, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Scania, a Swedish manufacturer of heavy trucks and engines, has suffered a data breach that resulted in the theft of insurance claim documents from its Financial Services systems via compromised credentials of an external IT partner. The stolen data is likely to contain personal, financial, or medical information. The attack ha
Greynoiseio
NoiseLetter July 2025
blogs_greynoiseio
NoiseLetter July 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420https://citrixbleed.comhttps://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/https://www.bleepingcomputer.com/news/security/cisa-tags-citrix-bleed-2-as-exploited-gives-agencies-a-day-to-patch/https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-5777
2025-06-17
Published
2025-07-10
Added to CISA KEV
Exploited in the wild