Eleven days, 11.5 million tries: the leak that walked past MFA

By the zmam.ai team · 26 May 2026 · updated 29 May 2026

Multi-factor authentication is supposed to be the backstop. Even if a password leaks, the second factor holds the line. CitrixBleed 2 is the story of a bug that made the backstop irrelevant — not by defeating MFA, but by stealing the session after the user had already passed it.

A leak, not a break-in

On 17 June 2025, Citrix disclosed CVE-2025-5777 in NetScaler ADC and Gateway. The flaw is an out-of-bounds memory read: when the device is configured as a Gateway or AAA virtual server, a malformed request makes a backend parser hand back a chunk of uninitialized memory it should never have exposed. Sift through enough of those chunks and you find session tokens — the credentials a user receives after logging in and completing MFA. Replay a stolen token and you are that user, second factor and all. Researchers immediately recognized the shape: it is the same class of bug as the original 2023 CitrixBleed (CVE-2023-4966) that fueled a wave of ransomware, which is why this one was christened CitrixBleed 2.

The severity scores capture how the industry argues about these things: Citrix rated it 9.3 on CVSS v4.0, while NIST’s v3.1 score came in at 7.5. The attackers did not wait for the committee to settle it.

The eleven-day head start

This is the detail that should change how you think about exposed devices. GreyNoise observed exploitation in the wild beginning 23 June 2025 — roughly eleven days before a public proof-of-concept existed (watchTowr published on 4 July, Horizon3.ai on 7 July). CISA added the bug to its Known Exploited Vulnerabilities catalog on 10 July.

In other words, attackers were already draining session tokens from real appliances while the rest of the world was still waiting for the exploit to be “real.” Imperva later reported observing more than 11.5 million exploitation attempts, with around 40% aimed at financial services. The security researcher Kevin Beaumont, who named the bug, documented at least 100 compromised organizations across education, finance, government, legal, and telecom. As of mid-July, Shadowserver still counted thousands of unpatched instances; Censys put the total population of internet-exposed NetScaler systems near 70,000.

The pattern nobody wants to see

CitrixBleed 2 was not an outlier in 2025. It was a genre. The same year delivered:

• Cisco ASA/FTD “ArcaneDoor” (CVE-2025-20333 and CVE-2025-20362), serious enough that CISA issued an emergency directive in September 2025 with a roughly 24-hour deadline; Shadowserver counted around 48,000 exposed, vulnerable firewalls, some on end-of-life hardware where attackers modified ROM to survive reboots and firmware upgrades.
• Ivanti Connect Secure (CVE-2025-0282), exploited as a zero-day from December 2024 — and then a sequel (CVE-2025-22457) built by reverse-engineering Ivanti’s own patch. The UK domain registry Nominet was among the named victims.
• Cleo managed file transfer (CVE-2024-50623 and CVE-2024-55956), the engine of a Clop extortion wave that named hundreds of companies, with Hertz alone notifying on the order of a million people.

Four different vendors, one shared DNA: an internet-facing management or VPN or file-transfer interface, fingerprinted at scale, hit before most defenders had finished reading the advisory.

What the outside view would have shown

None of these campaigns required clever reconnaissance. Attackers enumerated the exact surfaces a defender can see for free. From the outside, a non-intrusive scan can flag the preconditions without ever sending an exploit:

• The exposed interface itself. NetScaler Gateway portals, Cisco’s clientless WebVPN, Ivanti’s /dana-na/ login, Cleo’s file-transfer service — each is identifiable by its login page, default paths, HTTP responses, and TLS certificate. A management interface that faces the public internet is a finding before any CVE is attached to it.
• The version. Many of these appliances leak a build number in their responses, cookies, or error pages. Parsing it tells you whether a box is running a known-vulnerable release.
• The lifecycle. The hardest-hit devices were repeatedly end-of-life — legacy Cisco ASA hardware, EOL NetScaler 12.1 and 13.0. An exposed appliance that the vendor no longer supports is a critical finding on its own, because no patch is coming.

The uncomfortable lesson of 2025 is that “we’ll patch when the exploit is public” is a losing strategy when exploitation precedes the public exploit by eleven days. Knowing what you have exposed — and how old it is — is the part you control. That is exactly what an external attack-surface review, like the one zmam.ai is built toward, is for. See What is External Attack Surface Management? for the bigger picture.

Sources

• NIST NVD, CVE-2025-5777: https://nvd.nist.gov/vuln/detail/CVE-2025-5777
• GreyNoise, “Exploitation of CitrixBleed 2 before public PoC”: https://www.greynoise.io/blog/exploitation-citrixbleed-2-cve-2025-5777-before-public-poc
• SecurityWeek, “CitrixBleed 2: 100 organizations hacked, thousands of instances still vulnerable”: https://www.securityweek.com/citrixbleed-2-100-organizations-hacked-thousands-of-instances-still-vulnerable/
• Imperva, “CVE-2025-5777 exposes Citrix NetScaler to dangerous memory leak attacks”: https://www.imperva.com/blog/cve-2025-5777-exposes-citrix-netscaler-to-dangerous-memory-leak-attacks/
• CISA Emergency Directive ED 25-03 (Cisco ASA/FTD): https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices
• Rapid7, “CVE-2025-0282 Ivanti Connect Secure zero-day exploited in the wild”: https://www.rapid7.com/blog/post/2025/01/08/etr-cve-2025-0282-ivanti-connect-secure-zero-day-exploited-in-the-wild/