Threat actors were observed by ReliaQuest to have been leveraging the recently disclosed critical Citrix NetScaler Gateway vulnerability, tracked as CVE-2025-5777, to facilitate initial systems compromise, according to Cybersecurity Dive.
Attacks with the flaw which stems from memory overread caused by inadequate input validation could allow session token extraction and user impersonation, which could then lead to multi-factor authentication bypass and session takeovers, said ReliaQuest Director of Threat Research Brandon Tirado, who noted that the intrusions could have been conducted by ransomware or nation-state actors. Such a security issue has been compared with the CitrixBleed bug, tracked as CVE-2023-4966, that had been exploited in intrusions against Comcast's broadband unit Xfinity and Boeing. However, evidence suggesting the connection between CVE-2025-5777 and CitrixBleed has been lacking, noted the Cloud Software Group, which had remediated the issue while noting the active exploitation of the zero-day vulnerability, tracked as CVE-2025-6543.
Attacks with the flaw which stems from memory overread caused by inadequate input validation could allow session token extraction and user impersonation, which could then lead to multi-factor authentication bypass and session takeovers, said ReliaQuest Director of Threat Research Brandon Tirado, who noted that the intrusions could have been conducted by ransomware or nation-state actors. Such a security issue has been compared with the CitrixBleed bug, tracked as CVE-2023-4966, that had been exploited in intrusions against Comcast's broadband unit Xfinity and Boeing. However, evidence suggesting the connection between CVE-2025-5777 and CitrixBleed has been lacking, noted the Cloud Software Group, which had remediated the issue while noting the active exploitation of the zero-day vulnerability, tracked as CVE-2025-6543.
