CISA orders agencies to immediately patch Citrix Bleed 2, saying bug poses ‘unacceptable risk’

The federal cybersecurity watchdog ordered all civilian agencies to immediately patch a vulnerability impacting several NetScaler products used by organizations to manage network traffic.

The Cybersecurity and Infrastructure Security Agency (CISA) added the bug — tracked as CVE-2025-5777 — to its catalog of known exploited vulnerabilities on Thursday afternoon but took the extraordinary step of giving federal civilian agencies just one day to patch it. 

When asked why the bug had the shortest patching deadline ever issued by the agency, CISA Acting Executive Assistant Director for Cybersecurity Chris Butera said the vulnerability — which he referred to by its colloquial name “Citrix Bleed 2” — poses “a significant, unacceptable risk to the security of the federal civilian enterprise.”

“As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, CISA is taking urgent action by directing agencies to patch within 24 hours and we encourage all organizations to patch right away,” he said. 

The vulnerability emerged three weeks ago when Citrix published an advisory and said it carries a severity score of 9.2 out of 10. The bug affects Citrix customers who manage their own NetScaler ADC and NetScaler Gateway appliances — but not those with Citrix-managed cloud services.

Citrix did not respond to requests for comment but released a blog about the vulnerability two weeks ago. 

The bug affects Citrix Netscaler ADC and Netscaler Gateway appliances and the company said exploitation of the vulnerability “on unmitigated appliances have been observed.” Since that advisory, multiple incident responders have warned that the vulnerability is being used to attack organizations. 

Researchers published further advisories on ways victims can identify whether they have been attacked and other details necessary for organizations to protect themselves. 

Experts immediately compared the vulnerability to Citrix Bleed — a widely exploited bug in 2023 that was used by ransomware gangs and nation-state hackers to attack dozens of government organizations and major companies including Boeing and Toyota. 

Cybersecurity expert Kevin Beaumont, who first dubbed it “Citrix Bleed 2,” warned that thousands of NetScaler installations are exposed to the internet and said exploitation has been ongoing for about one month. 

Beaumont noted one of the IP addresses tied to recent exploitation of the bug was linked to the RansomHub ransomware group by CISA last year. CISA was previously able to warn more than 300 organizations in 2023 of their exposure to Citrix Bleed.

The U.K.’s National Health Service released its own notice comparing the first two published vulnerabilities to Citrix Bleed, reiterating that the 2023 bug was heavily exploited by ransomware gangs. CVE-2025-5777 could expose “sensitive information such as session tokens,” the NHS said. 

“Attackers could use these tokens to hijack existing sessions, allowing access into the network, bypassing authentication controls such as multi-factor authentication (MFA),” they added. 

The original Citrix Bleed bug caused alarm among defenders because of how many hospitals and critical infrastructure organizations use NetScaler ADC and NetScaler Gateway.

The one-day deadline issued by CISA on Thursday appears to be the shortest one ever issued. Federal civilian agencies are typically given three weeks to patch bugs added to the known exploited vulnerability catalog but in January it gave a five-day deadline for another firewall vulnerability that was being used in cyberattacks.