A critical and closely watched vulnerability in Citrix NetScaler has reached the early stages of active exploitation, according to a blog post published Friday by Reliaquest.
Researchers said they have seen indications that the vulnerability in NetScaler Gateway is being used for initial access into targeted environments.
The vulnerability, tracked as CVE-2025-5777, is related to insufficient input validation that leads to memory overread when NetScaler is configured as Gateway, according to an advisory from Citrix.
The flaw allows an attacker to extract session tokens and impersonate legitimate users, according to Brandon Tirado, director of threat research at Reliaquest. The tokens allow an adversary to bypass multifactor authentication and engage in session hijacking.
“While attribution is unclear, the activity could align with both financially motivated ransomware actors and nation-state groups,” Tirado told Cybersecurity Dive.
The vulnerability has raised major concerns in the security community, given that a prior flaw in the same product in 2023, tracked as CVE-2023-4966, became one of the most widely exploited bugs in recent memory, earning the nickname “CitrixBleed.”
That vulnerability featured in several major attacks, including a ransomware attack against Boeing and a major attack on Comcast’s Xfinity broadband unit that impacted 36 million customers.
Even after the initial attack frenzy, hackers were able to continue exploiting the vulnerability after customers applied patches to address the flaw. Comcast said that it followed mitigation instructions before it was targeted.
Many of the attacks were linked to the notorious ransomware group LockBit 3.0.
Cloud Software Group released a blog post Thursday to address CVE-2025-5777, as well as a separate, newly disclosed zero-day vulnerability tracked as CVE-2025-6543. The company confirmed active exploitation of the latter flaw but said there was no evidence of CVE-2025-5777 being exploited.
Cloud Software Group said it was aware of the comparisons between the CVE-2025-5777 and the CitrixBleed vulnerability in 2023 but said there is currently no evidence the flaws are related. Citrix is one of multiple technology brands operating under Cloud Software.
The company endured widespread criticism over its handling of CitrixBleed in 2023, in part because of widespread confusion about the level of communication with customers and concerns about the guidance provided to security teams.
In the blog post released Thrsday, the company asked customers to contact it if they believe they have been compromised, and released a detailed set of frequently asked questions to address the threat activity.
