Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public

GreyNoise has identified active exploitation of CVE-2025-5777, dubbed CitrixBleed 2, affecting Citrix NetScaler appliances. This memory overread vulnerability was actively targeted starting June 23, significantly preceding the public release of a proof-of-concept exploit on July 4. This timeline indicates threat actors possessed prior knowledge or independently discovered the flaw before public disclosure, heightening the risk for unpatched organizations. The exploitation suggests an immediate threat to confidentiality and potential system compromise via initial access vectors. While specific threat actors remain unidentified, the early exploitation window underscores the urgency of patching. Organizations utilizing Citrix NetScaler should prioritize immediate mitigation measures, including applying vendor patches and monitoring network traffic for anomalous activity. This trend highlights attacker sophistication leveraging vulnerabilities before signatures are available, necessitating proactive vulnerability management strategies to prevent access and exfiltration attempts.

GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept was released on July 4.

GreyNoise has identified active exploitation of CVE-2025-5777, dubbed CitrixBleed 2, affecting Citrix NetScaler appliances. This memory overread vulnerability was actively targeted starting June 23, significantly preceding the public release of a proof-of-concept exploit on July 4. This timeline indicates threat actors possessed prior knowledge or independently discovered the flaw before public disclosure, heightening the risk for unpatched organizations. The exploitation suggests an immediate threat to confidentiality and potential system compromise via initial access vectors. While specific threat actors remain unidentified, the early exploitation window underscores the urgency of patching. Organizations utilizing Citrix NetScaler should prioritize immediate mitigation measures, including applying vendor patches and monitoring network traffic for anomalous activity. This trend highlights attacker sophistication leveraging vulnerabilities before signatures are available, necessitating proactive vulnerability management strategies to prevent access and exfiltration attempts. GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept was released on July 4. GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept was released on July 4.