Patch now: Citrix Bleed 2 vulnerability actively exploited in the wild

Posted on by

Well-known British cybersecurity researcher and threat analyst Kevin Beaumont colorfully compared the flaw to “Kanye West returning to Twitter,” the same old chaos but louder.

Citrix released patches on June 17 for versions 14.1, 13.1, and equivalent FIPS/NDcPP builds. Versions 12.1 and 13.0 are EOL, and an upgrade is mandatory.

Indications of real-world exploitation

ReliaQuest researchers said that, in multiple incidents, attackers were seen hijacking active Citrix web sessions and bypassing multi-factor authentication (MFA) without requiring user credentials. The research also highlighted “session reuse across multiple IPs, including combinations of expected and suspicious IPs.”

In compromised environments, attackers proceeded with post-authentication reconnaissance, issuing lightweight directory access protocol (LDAP) queries and running tools like ADExplorer64.exe to map out Active Directory structures.