Hackers Started Exploiting CitrixBleed 2 Vulnerability Before Public PoC Disclosure
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Researchers detected an active exploitation of CVE-2025-5777, dubbed CitrixBleed 2, nearly two weeks before a public proof-of-concept surfaced.
This memory overread vulnerability in Citrix NetScaler appliances enables adversaries to exfiltrate sensitive data from kernel space by sending malformed DTLS packets.
Initial reconnaissance and attack patterns were first observed on June 23, while the PoC was not released until July 4. This early exploitation underscores the need for proactive threat intelligence and rapid patch management.
Key Takeaways
1. CitrixBleed 2 (CVE-2025-5777) was actively exploited.
2. Chinese IPs precisely targeted Citrix NetScaler appliances.
3. CISA added CVE-2025-5777 to its CVE catalog; immediate patching is essential.
The vulnerability carries a CVSS score of 9.8 and stems from improper bounds checking within the SSL processing module.
GreyNoise analysts assigned a dedicated tag to the traffic on July 7, enabling retrospective visibility into pre-PoC attacks across their sensor network.
Citrix NetScaler Vulnerability Exploitation
When researchers deployed sensors emulating Citrix NetScaler instances, they recorded anomalous DTLS handshake sequences originating from IP addresses geolocated in China.
These packets exhibited malformed length fields that violated the DTLS specification, prompting kernel-level responses and revealing memory fragments.
In-depth packet dissection using tools such as Wireshark and Scapy highlighted repeated attempts to trigger the vulnerability.
The malformed packets employed specific TLS record layer values that exceeded buffer boundaries, causing the NetScaler SSL stack to return residual data.
Analysis of threat intelligence feeds revealed a focused campaign against enterprise perimeter devices rather than opportunistic mass scanning.
The malicious IPs avoided bulk exploitation, instead selecting specific network blocks likely containing high-value Citrix NetScaler installations.
This precision targeting suggests a reconnaissance phase where the attackers fingerprinted appliance versions before launching memory overread attempts, consistent with tactics seen in previous state-affiliated operations.
On July 9, the Cybersecurity and Infrastructure Security Agency (CISA) corroborated GreyNoise findings and added CVE-2025-5777 to the Known Exploited Vulnerabilities (KEV) catalog.
CISA’s public advisory urged immediate application of Citrix-provided patches and recommended continuous monitoring for anomalous DTLS traffic with abnormal record length values.
The inclusion in the KEV accelerated awareness across U.S. federal and critical infrastructure sectors, driving accelerated mitigation efforts.
To counter ongoing exploitation, defenders are advised to apply Citrix’s firmware update and implement network controls that detect or block malformed DTLS records.
#Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
Hackers Started Exploiting CitrixBleed 2 Vulnerability Before Public PoC Disclosure
Author: Guru BaranResearchers detected an active exploitation of CVE-2025-5777, dubbed CitrixBleed 2, nearly two weeks before a public proof-of-concept surfaced.
This memory overread vulnerability in Citrix NetScaler appliances enables adversaries to exfiltrate sensitive data from kernel space by sending malformed DTLS packets.
Initial reconnaissance and attack patterns were first observed on June 23, while the PoC was not released until July 4. This early exploitation underscores the need for proactive threat intelligence and rapid patch management.
Key Takeaways
1. CitrixBleed 2 (CVE-2025-5777) was actively exploited.
2. Chinese IPs precisely targeted Citrix NetScaler appliances.
3. CISA added CVE-2025-5777 to its CVE catalog; immediate patching is essential.
The vulnerability carries a CVSS score of 9.8 and stems from improper bounds checking within the SSL processing module.
GreyNoise analysts assigned a dedicated tag to the traffic on July 7, enabling retrospective visibility into pre-PoC attacks across their sensor network.
Citrix NetScaler Vulnerability Exploitation
When researchers deployed sensors emulating Citrix NetScaler instances, they recorded anomalous DTLS handshake sequences originating from IP addresses geolocated in China.
These packets exhibited malformed length fields that violated the DTLS specification, prompting kernel-level responses and revealing memory fragments.
In-depth packet dissection using tools such as Wireshark and Scapy highlighted repeated attempts to trigger the vulnerability.
The malformed packets employed specific TLS record layer values that exceeded buffer boundaries, causing the NetScaler SSL stack to return residual data.
Analysis of threat intelligence feeds revealed a focused campaign against enterprise perimeter devices rather than opportunistic mass scanning.
The malicious IPs avoided bulk exploitation, instead selecting specific network blocks likely containing high-value Citrix NetScaler installations.
This precision targeting suggests a reconnaissance phase where the attackers fingerprinted appliance versions before launching memory overread attempts, consistent with tactics seen in previous state-affiliated operations.
On July 9, the Cybersecurity and Infrastructure Security Agency (CISA) corroborated GreyNoise findings and added CVE-2025-5777 to the Known Exploited Vulnerabilities (KEV) catalog.
CISA’s public advisory urged immediate application of Citrix-provided patches and recommended continuous monitoring for anomalous DTLS traffic with abnormal record length values.
The inclusion in the KEV accelerated awareness across U.S. federal and critical infrastructure sectors, driving accelerated mitigation efforts.
To counter ongoing exploitation, defenders are advised to apply Citrix’s firmware update and implement network controls that detect or block malformed DTLS records.
#Cyber_Security #Cyber_Security_News #Vulnerability
Оригинальная версия на сайте:
