Proof-of-Concept for CitrixBleed2 Leak Released — 127 Bytes of Data Exfiltration Possible Per Request

On June 17, 2025, Citrix disclosed CVE-2025-5777, a critical memory leak vulnerability dubbed “CitrixBleed 2.”

This flaw affects NetScaler ADC and NetScaler Gateway devices configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual servers. Impacted versions include:

• NetScaler ADC and Gateway 14.1 prior to 14.1-43.56
• NetScaler ADC and Gateway 13.1 prior to 13.1-58.32
• NetScaler ADC 13.1-FIPS/NDcPP prior to 13.1-37.235
• NetScaler ADC 12.1-FIPS prior to 12.1-55.328

The vulnerability is a pre-authentication memory disclosure issue, reminiscent of the infamous CitrixBleed (CVE-2023-4966), and carries a CVSS score of 9.3, reflecting its severity.

While Citrix initially claimed no evidence of exploitation, independent security firms have reported active abuse in the wild.

Exploiting the Memory Leak

CVE-2025-5777 arises from insufficient input validation in the HTTP POST handler for authentication endpoints.

When an attacker submits a malformed login request—specifically, omitting the value or equals sign in the login parameter—the backend C code fails to initialize the corresponding variable.

As a result, the server responds with up to 127 bytes of uninitialized stack memory within an XML tag such as <InitialValue>, potentially leaking session tokens or credentials.

Example Exploit Request:

textPOST /p/u/doAuthentication.do HTTP/1.1
Host: <target>
Content-Type: application/x-www-form-urlencoded
Content-Length: 13

login&passwd=

This malformed request triggers the leak, as the backend code (using snprintf with %.*s) copies whatever is present in memory into the response.

Attackers can automate repeated requests to harvest sensitive data, including administrator session tokens (nsroot), which can be replayed to hijack sessions and bypass multi-factor authentication.

Detection, Indicators of Compromise, and Mitigation

Indicators of Compromise (IoCs):

• Log entries with non-printable characters or unexpected data in authentication logs (ns.log)
• Multiple active sessions for a single user from different IP addresses
• Session tokens reused across suspicious or geographically diverse IPs
• Evidence of session hijacking or unauthorized Active Directory reconnaissance

Sample Log Entry:

textJul  7 08:04:33 <local0.info> TARGET_GATEWAY_IP ... User test_user - Client_ip USER_IP_1 ...
Jul  7 08:04:40 <local0.info> TARGET_GATEWAY_IP ... User test_user - Client_ip USER_IP_2 ...

Mitigation Steps:

• Immediately patch all affected NetScaler ADC and Gateway devices to the latest versions
• Terminate all existing ICA and PCoIP sessions post-patch to invalidate potentially compromised tokens
• Audit active sessions via WebUI or CLI (show sessions)
• Regularly diff running configurations against known-good backups to detect unauthorized changes

CVE-2025-5777 represents a severe risk to organizations relying on Citrix NetScaler for remote access. The ease of exploitation and potential for credential theft and session hijacking make rapid patching and vigilant monitoring essential for defenders.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates

The post Proof-of-Concept for CitrixBleed2 Leak Released — 127 Bytes of Data Exfiltration Possible Per Request appeared first on Cyber Security News.