A critical vulnerability allowing hackers to bypass multifactor authentication in network management devices made by Citrix has been actively exploited for more than a month, researchers said. The finding is at odds with advisories from the vendor saying there is no evidence of in-the-wild exploitation.

Tracked as CVE-2025-5777, the vulnerability shares similarities with CVE-2023-4966, a security flaw nicknamed CitrixBleed, which led to the compromise of 20,000 Citrix devices two years ago. The list of Citrix customers hacked in the CitrixBleed exploitation spree included Boeing, Australian shipping company DP World, Commercial Bank of China, and the Allen & Overy law firm. A Comcast network was also breached, allowing threat actors to steal password data and other sensitive information belonging to 36 million Xfinity customers.

Giving attackers a head start

Both CVE-2025-5777 and CVE-2023-4966 reside in Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway, which provide load balancing and single sign-on in enterprise networks, respectively. The vulnerability causes vulnerable devices to leak—or “bleed”—small chunks of memory contents after receiving modified requests sent over the Internet.

By repeatedly sending the same requests, hackers can piece together enough data to reconstruct credentials. The original CitrixBleed had a severity rating of 9.8. CitrixBleed 2 has a severity rating of 9.2.

Citrix disclosed the newer vulnerability and released a security patch for it on June 17. In an update published nine days later, Citrix said it was “currently unaware of any evidence of exploitation.” The company has provided no updates since then.

Researchers, however, say that they have found evidence that CitrixBleed 2, as the newer vulnerability is being called, has been actively exploited for weeks. Security firm Greynoise said Monday that a search through its honeypot logs found exploitation as early as July 1. On Tuesday, independent researcher Kevin Beaumont said telemetry from those same honeypot logs indicates that CitrixBleed 2 has been exploited since at least June 23, three days before Citrix said it had no evidence of such attacks.

Citrix’s failure to disclose active exploitation is only one of the details researchers say was missing from the advisories. Last week, security firm watchTowr published a post titled "How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777)." It criticized Citrix for withholding indicators that customers could use to determine if their networks were under attack. On Monday, fellow security firm Horizon3.ai said much the same thing. Company researchers wrote: