citrix

critical-citrixbleed-2-vulnerability-has-been-under-active-exploit-for-weeks

Critical CitrixBleed 2 vulnerability has been under active exploit for weeks

Biz & IT, citrix, citrixbleed, hacking, Security, vulnerabilities / /

A critical vulnerability allowing hackers to bypass multifactor authentication in network management devices made by Citrix has been actively exploited for more than a month, researchers said. The finding is at odds with advisories from the vendor saying there is no evidence of in-the-wild exploitation.

Tracked as CVE-2025-5777, the vulnerability shares similarities with CVE-2023-4966, a security flaw nicknamed CitrixBleed, which led to the compromise of 20,000 Citrix devices two years ago. The list of Citrix customers hacked in the CitrixBleed exploitation spree included Boeing, Australian shipping company DP World, Commercial Bank of China, and the Allen & Overy law firm. A Comcast network was also breached, allowing threat actors to steal password data and other sensitive information belonging to 36 million Xfinity customers.

Giving attackers a head start

Both CVE-2025-5777 and CVE-2023-4966 reside in Citrix’s NetScaler Application Delivery Controller and NetScaler Gateway, which provide load balancing and single sign-on in enterprise networks, respectively. The vulnerability causes vulnerable devices to leak—or “bleed”—small chunks of memory contents after receiving modified requests sent over the Internet.

By repeatedly sending the same requests, hackers can piece together enough data to reconstruct credentials. The original CitrixBleed had a severity rating of 9.8. CitrixBleed 2 has a severity rating of 9.2.

Citrix disclosed the newer vulnerability and released a security patch for it on June 17. In an update published nine days later, Citrix said it was “currently unaware of any evidence of exploitation.” The company has provided no updates since then.

Researchers, however, say that they have found evidence that CitrixBleed 2, as the newer vulnerability is being called, has been actively exploited for weeks. Security firm Greynoise said Monday that a search through its honeypot logs found exploitation as early as July 1. On Tuesday, independent researcher Kevin Beaumont said telemetry from those same honeypot logs indicates that CitrixBleed 2 has been exploited since at least June 23, three days before Citrix said it had no evidence of such attacks.

Citrix’s failure to disclose active exploitation is only one of the details researchers say was missing from the advisories. Last week, security firm watchTowr published a post titled “How Much More Must We Bleed? – Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777).” It criticized Citrix for withholding indicators that customers could use to determine if their networks were under attack. On Monday, fellow security firm Horizon3.ai said much the same thing. Company researchers wrote:

Critical CitrixBleed 2 vulnerability has been under active exploit for weeks Read More »

basecamp-maker-37signals-says-its-“cloud-exit”-will-save-it-$10m-over-5-years

Basecamp-maker 37Signals says its “cloud exit” will save it $10M over 5 years

37signals, Amazon, AWS, Biz & IT, citrix, david heinemeier hansson, red hat / /

Lots of pointing at clouds

AWS made data transfer out of AWS free for customers who were moving off their servers in March, spurred in part by European regulations. Trade publications are full of trend stories about rising cloud costs and explainers on why companies are repatriating. Stories of major players’ cloud reversals, like that of Dropbox, have become talking points for the cloud-averse.

Not everyone believes the sky is falling. Lydia Leong, a cloud computing analyst at Gartner, wrote on her own blog about how “the myth of cloud repatriation refuses to die.” A large part of this, Leong writes, is in how surveys and anecdotal news stories confuse various versions of “repatriation” from managed service providers to self-hosted infrastructure.

“None of these things are in any way equivalent to the notion that there’s a broad or even common movement of workloads from the cloud back on-premises, though, especially for those customers who have migrated entire data centers or the vast majority of their IT estate to the cloud,” writes Leong.

Both Leong and Rich Hoyer, director of the FinOps group at SADA, suggest that framing the issue as simply “cloud versus on-premises” is too simplistic. A poorly architected split between cloud and on-prem, vague goals and measurements of cloud “cost” and “success,” and fuzzy return-on-investment math, Hoyer writes, are feeding alarmist takes on cloud costs.

For its part, AWS has itself testified that it faces competition from the on-premises IT movement, although it did so as part of a “Cloud Services Market Investigation” by UK market competition authorities. Red Hat and Citrix have suggested that, at a minimum, hybrid approaches have regained ground after a period of cloud primacy.

Those kinds of measured approaches don’t have the same broad reach as declaring an “exit” and putting a very round number on it, but it’s another interesting data point.

Ars has reached out to AWS and will update this post with comment.

Basecamp-maker 37Signals says its “cloud exit” will save it $10M over 5 years Read More »