Citrix recently patched two critical vulnerabilities, including an exploited zero-day and a flaw some are calling “CitrixBleed 2.”  Both flaws affect Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway when configured as a Gateway or Authentication, Authorization, and Accounting (AAA) virtual server.The first, disclosed June 17 and tracked as CVE-2025-5777, has a CVSS score of 9.3 and involves insufficient input validation leading to memory overreads, according to Citrix. There are currently no reports of this vulnerability being exploited in the wild.However, CVE-2025-5777 could potentially lead to the leaking of sensitive information, including session tokens, which can be reused to hijack accounts and bypass multi-factor authentication, security researcher Kevin Beaumont noted in a blog post comparing the flaw to CVE-2023-4966, also known as CitrixBleed.CitrixBleed, a buffer overflow flaw leading to sensitive information disclosure, was leveraged in several high-profile attacks following its disclosure in 2023, including attacks by the LockBit ransomware gang and an Xfinity breach affecting more than 35 million customers.“CVE-2025-5777 is shaping up to be every bit as serious as CitrixBleed,” watchTowr CEO Benjamin Harris said in an email to SC Media. “The details surrounding CVE-2025-5777 have quietly shifted since its initial disclosure, with fairly important pre-requisites or limitations being removed from the NVD CVE description.”Both Harris and Beaumont pointed out that the flaw was initially believed to only affect the NetScaler Management Interface, which is typically not exposed to the internet.However, the vulnerability description was changed on Monday to indicate the flaw affects any instance configured as a Gateway or AAA virtual server, which Beaumont said is “an extremely common setup in large organizations.”A second flaw, tracked as CVE-2025-6543, was disclosed Wednesday and noted by Citrix to have already been exploited. This vulnerability has a CVSS score of 9.2 and is described as a memory overflow vulnerability leading to unintended control flow and denial of service.“Affected organizations need to not just apply the patch but also now determine if they have been affected by exploitation that has already occurred,” Harris told SC Media.SC Media reached out to Citrix for more information about CVE-2025-6543 and its exploitation and did not receive a response before deadline.CVE-2025-5777 affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-43.56 and 13.1 before 13.1-58.32, as well as NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.235-FIPS and NDcPP, and 12.1-FIPS before 12.1-55.328-FIPS.CVE-2025-6543 affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-47.46 and 13.1 before 13.1-59.19 as well as NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP.Customers are urged to patch as soon as possible, and should also terminate all active sessions after updating using the commands “kill icaconnection -all” and “kill pcoipConnection -all.”Mandiant Chief Technology Officer Charles Carmakal noted in a LinkedIn post that many organizations failed to terminate sessions after patching CitrixBleed, leading to compromises via session tokens that were stolen before the patch was applied.