New ‘CitrixBleed 2’ NetScaler flaw let hackers hijack sessions www.bleepingcomputer.com/news/secu…

A recent vulnerability in Citrix NetScaler ADC and Gateway is dubbed “CitrixBleed 2,” after its similarity to an older exploited flaw that allowed unauthenticated attackers to hijack authentication session cookies from vulnerable devices.

Last week, Citrix published a security bulletin warning about flaws tracked as CVE-2025-5777 and CVE-2025-5349 that impact NetScaler ADC and Gateway versions before 14.1-43.56, releases before 13.1-58.32, and also 13.1-37.235-FIPS/NDcPP and 2.1-55.328-FIPS.

While Citrix has not stated whether these flaws are being actively exploited, they do recommend that admins terminate all active ICA and PCoIP sessions as soon as all appliances have been updated.

In a LinkedIn post, Mandiant CTO Charles Carmakal warns that it is essential to kill sessions after updating devices to prevent previously stolen sessions from being used even after devices are no longer vulnerable.

“Many organizations did not terminate sessions when remediating a similar vulnerability in 2023 (CVE-2023-4966 aka “Citrix Bleed”),” warns Carmakal.

“In those cases, session secrets were stolen before companies patched, and the sessions were hijacked after the patch. Many of those compromises resulted in nation-state espionage or ransomware deployment.”