Critical CitrixBleed 2 vulnerability has been under active exploit for weeks

Researchers have claimed that a critical vulnerability (CVE-2025-5777), similar to CVE-2023-4966 (CitrixBleed), has been exploited for over a month despite advisories from Citrix stating that there was no evidence for in-the-wild exploitation.
Both flaws affect Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway, which are used for load balancing and single sign-on in enterprise networks.
The vulnerabilities cause the devices to leak (or ‘bleed’) memory contents after receiving specially modified requests.
Hackers can access sensitive credentials by piecing together data from repeated requests.
The original CitrixBleed had a severity rating of 9.8, while CitrixBleed 2 has been given a rating of 9.2.
Citrix released a patch for the vulnerability on 17 June, but said that it was unaware of any exploitation three days prior to this.
Researchers have criticised the company for failing to disclose the in-the-wild exploitation and for not providing customers with sufficient indicators to determine if they are under attack.

Fast Feed