It turned out that the Citrixbled 2 deficit was used in targeted attacks before being announced to the public.

The critical security vulnerability called "Citrixbleed 2", which affects Citrix Netscaler products, was found to be targeted by cyber attackers before sharing public abuse codes.

Cyber Security Firm Greynoise announced on 23 June 2025 that HoneyPot systems perceived the attacks on which this deficit was targeted.

Greynoise reported that it was a special label to follow the gap on July 7, and thanks to this label, the attack attempts on past data have become visible.

Citrix remained silent
According to verification with the abuse codes provided by Greynoise, the attacks were directly targeted by the Citrixbled 2 deficit.

On July 15, Citrix released a new blog post on how to detect the symptoms of security in Netscaler systems.

Technical details of the deficit
The Citrixbleed 2 is defined as a memory excess deficit due to insufficient input verification during the login operations in Netscaler systems.

Kevin Beaumont, "/Douthentication.do" on the way to repeated post requests and "Content-Length: 5" requests that may be symptoms of abuse, he said.

Citrix's suggestions were insufficient
Citrix suggested that ICA and PCOIP sessions be terminated with Kill commands to terminate the abused sessions.

DETERMINATION AND SPRING STATUS
According to Beaumont, the deficit was used as of June 20 and became widespread in the following days.

On the other hand, according to the statement made by IMPERVA, the products detected over 11.5 million abuse attempts.

Citrix has released security patches for Netscaler ADC and Gateway and announced that users should urgently pass to supported versions.

Kaynak: CUMHA - CUMHUR HABER AJANSI