Critical Citrix Vulnerability Exposed to Active Exploitation Despite Vendor Claims

A critical vulnerability in Citrix's NetScaler devices has been actively exploited for over a month, bypassing multifactor authentication (MFA) and compromising sensitive data. Tracked as CVE-2025-5777, this flaw resembles the 2023 CitrixBleed incident, which affected 20,000 devices, including those of Boeing, DP World, and Commercial Bank of China. The new vulnerability, rated 9.2 in severity, allows attackers to extract memory contents, reconstruct credentials, and gain administrative access. Despite Citrix releasing a patch on June 17, researchers have evidence of exploitation as early as June 23, contradicting the company's claims of no in-the-wild attacks. Security firms Greynoise and independent researcher Kevin Beaumont detected exploit attempts targeting the doAuthentication.do endpoint, with thousands of login requests per day. Critics argue that Citrix's lack of transparency, withholding indicators of compromise, has hindered detection and response. Security firms like watchTowr and Horizon3.ai have criticized this approach, emphasizing the need for clearer guidance to help organizations identify and mitigate breaches. Citrix has not confirmed active exploitation but stated its commitment to transparency. However, the absence of detailed indicators has left customers with a false sense of security, as patches alone may not fully protect against sophisticated attacks. Organizations are advised to apply patches and monitor for signs of compromise to safeguard their networks.

Published: 7/9/2025