CitrixBleed 2: A new alert highlighting the limits of classic access architectures

The discovery of CVE-2025-5777, dubbed CitrixBleed 2, highlights the systemic flaws inherent in traditional remote access architectures. This critical vulnerability, affecting Citrix NetScaler ADC and Gateway, allows attackers to steal access keys, notably enabling them to bypass multi-factor authentication. Despite Citrix releasing patches, signs of active exploitation have been detected, underscoring the urgent need to rethink remote access security approaches.

This isn't the first time Citrix has been at the center of such an incident, and it's no coincidence. Most remote access solutions—Citrix Gateway, RDP, VPNs—still rely on principles designed for enterprise networks of the 2000s. This leads to well-known points of failure:

• Exposed Ports: Services like RDP or VNC require open ports, detectable within minutes via automated scans. This is the ideal entry point for brute-force attacks or unpatched exploits.

• Persistent Sessions: Even after a patch, active sessions aren't necessarily revoked, leading to compromises in major companies.

• Implicit Trust: Once connected via VPN, a user often gains broad network access—a nightmare from a least-privilege perspective. A compromised token is enough to navigate freely.

The result: every vulnerability becomes a race against time, and too often, the attacker wins.

Proactive measures vs. post-incident reaction

More modern architectures offer a different approach. Instead of patching breaches after the fact, they aim to reduce the attack surface from the outset.

This is the case with solutions like Reemo, which natively integrate Zero Trust Network Access (ZTNA) principles without requiring a complete overhaul of the existing IT infrastructure. This model is built on several technical pillars designed to block CitrixBleed-like scenarios before they even become exploitable:

• Outbound Connection Only: The Reemo agent initiates the connection. No ports are exposed. This simple architectural choice eliminates thousands of entry points.

• Access Isolation: Each session can be launched in a dedicated, disposable, and isolated container. No persistence, no exploitable residue.

• Protocol Break: By only allowing secure outbound traffic, Reemo blocks attacks that rely on RDP, VNC, or SSH vulnerabilities.

• Granular Administration: Access rights are defined per session, user, machine, or application—and crucially, are time-limited. Access that isn't explicitly authorized simply doesn't exist.

• Non-Invasive Integration: There's no need to dismantle existing systems to secure access. This approach complements existing IT systems and cloud environments.

The impact of a proactive stance

While traditional infrastructures hope that patches arrive on time, an approach like Reemo's mechanically reduces the possibilities for exploitation. This means less reliance on patches, fewer post-incident interventions, and lower remediation costs.

In other words: security isn't about urgent fixes; it's about preventing the urgency from happening in the first place.

A vulnerability, broader questions

CitrixBleed 2 is more than just another CVE in a database. It's a stark reminder that threats evolve faster than infrastructures. As long as we continue to build access security on outdated models, we will remain vulnerable by design.

It's no longer just about patching; it's about rethinking.