Citrix's critical vulnerability, known as Citrix Bleed 2 or CVE-2025-5777, has been actively exploited since June 23, 2025, well before it was publicly disclosed, with attackers targeting specific systems from IP addresses in China.

Despite evidence of ongoing exploitation and targeted attacks, Citrix initially denied active threats, only acknowledging the issue publicly after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) included the vulnerability in its 'Known Exploited Vulnerabilities Catalog' on July 10, 2025.

GreyNoise confirmed that the attacks were targeted, originating from China, and that over 11.5 million attack attempts had been made by mid-July, primarily in the USA, Spain, and Japan.

Security researcher Kevin Beaumont identified that more than 120 companies have been compromised through this vulnerability, which affects Citrix NetScaler devices, with over 4,500 still vulnerable as of mid-July.

Citrix has released patches for its NetScaler ADC and Gateway products and urges immediate upgrades, emphasizing that no mitigation measures are effective beyond patching.

The vulnerability, rated critically severe with a score of 9.3, allows attackers to leak sensitive data like session tokens via malformed login requests, exploiting insufficient input validation.

The first attack attempts were detected shortly after the patches were released, with active exploitation beginning on June 23, 2025, nearly two weeks before proof-of-concept exploits became publicly available.

Citrix has faced criticism for its slow response and inadequate communication, especially regarding the effectiveness of its Web Application Firewall (WAF) in blocking these attacks.

Security experts, including Beaumont, have expressed dissatisfaction with Citrix's limited guidance for administrators and the overall handling of the vulnerability.

Experts like Beaumont have provided guidance on identifying indicators of compromise, such as unusual IP address changes and specific error messages, urging administrators to conduct comprehensive session reviews.

A list of over 25,000 publicly accessible NetScaler instances was revealed, with approximately 3,829 remaining vulnerable as of July 18, 2025, including several hundred in Germany.