A critical vulnerability allowing hackers to bypass multifactor authentication in network management devices made by Citrix has been actively exploited for more than a month, researchers said. The finding is at odds with advisories from the vendor saying there is no evidence of in-the-wild exploitation.
Tracked as CVE-2025-5777, the vulnerability shares similarities with CVE-2023-4966, a security flaw nicknamed CitrixBleed, which led to the compromise of 20,000 Citrix devices two years ago. The list of Citrix customers hacked in the CitrixBleed exploitation spree included Boeing, Australian shipping company DP World, Commercial Bank of China, and the Allen & Overy law firm. A Comcast network was also breached, allowing threat actors to steal password data and other sensitive information belonging to 36 million Xfinity customers.
Giving attackers a head start
Both CVE-2025-5777 and CVE-2023-4966 reside in Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway, which provide load balancing and single sign-on in enterprise networks, respectively. The vulnerability causes vulnerable devices to leak—or “bleed”—small chunks of memory contents after receiving modified requests sent over the Internet.
