Threat Research

Critical vulnerability in Citrix found on Italian hosts

Italy-Cert-agid
Critical vulnerability in Citrix found on Italian hosts

The vulnerability CVE-2025-5777, known as “CitrixBleed 2,” affects Citrix NetScaler ADC and Gateway and has been actively exploited following the release of a public Proof-of-Concept. Numerous Italian organizations, including public administrations and financial institutions, remain vulnerable due to delayed patching, prompting urgent mitigation efforts. #CVE20255777 #CitrixBleed2 #CERTAGID

Keypoints

  • The CVE-2025-5777 vulnerability affects Citrix NetScaler ADC and Gateway and was disclosed and patched in June 2025.
  • A public Proof-of-Concept has led to active exploitation attempts, particularly targeting Italian organizations.
  • Over 70 Italian domains, including public administrations, banks, and insurance agencies, remain potentially vulnerable.
  • The vulnerability arises from insufficient input validation allowing remote unauthenticated attackers to access uninitialized memory data.
  • Successful exploitation can bypass multi-factor authentication, hijack active sessions, and access critical systems.
  • Potential impacts include data breaches, ransomware attacks, and operational disruptions.
  • Mitigation includes applying patches, terminating active sessions post-update, and monitoring logs for suspicious activities.

MITRE Techniques

  • [T1204] User Execution – Exploitation involves an unauthenticated attacker sending specially crafted HTTP POST requests to the Citrix Gateway login endpoint (‘…an unauthenticated remote attacker sends specially crafted requests allowing extraction of uninitialized memory data…’).
  • [T1078] Valid Accounts – The vulnerability enables attackers to bypass multi-factor authentication and hijack active user sessions (‘…bypass MFA and hijack active user sessions…’).
  • [T1027] Obfuscated Files or Information – Usage of specially formatted XML tags like to leak sensitive memory contents (‘…the server responds with an XML structure containing tag exposing uninitialized memory data…’).

Indicators of Compromise

  • [Domain] Potentially vulnerable Italian domains – Over 70 domains including those of public administrations, banks, and insurance agencies.
  • [Network Traffic] Exploit HTTP requests – Example: POST /login HTTP/1.1 with parameter “login” without value (e.g., ‘login’ instead of ‘login=username’).

Read more: https://cert-agid.gov.it/news/vulnerabilita-critica-in-citrix-riscontrata-su-host-italiani/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint