SEE ALSO - Alert CISA Adds One Known Exploited Vulnerability to Catalog Release Date July 10, 2025
July 11, 2025 By Bill Toulas
The U.S. Cybersecurity & Infrastructure Security Agency has confirmed active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway and is giving federal agencies one day to apply fixes.
Such a short deadline for installing the patches is unprecedented since CISA released the Known Exploited Vulnerabilities (KEV) catalog, showing the severity of the attacks exploiting the security issue.
The agency added the flaw to its Known Exploited Vulnerabilities (KEV) catalog yesterday, ordering federal agencies to implement mitigations by the end of today, June 11.
CVE-2025-5777 is a critical memory safety vulnerability (out-of-bounds memory read) that gives an unauthenticated attacker access to restricted parts of the memory.
The issue impacts NetScaler devices that are configured as a Gateway or an AAA virtual server, in versions prior to 14.1-43.56, 13.1-58.32, 13.1-37.235-FIPS/NDcPP, and 2.1-55.328-FIPS.
Citrix addressed the vulnerability through updates released on June 17.
