Researchers have noticed widespread exploitation makes an attempt focusing on a crucial reminiscence disclosure vulnerability in Citrix NetScaler units, designated as CVE-2025-5777 and dubbed “CitrixBleed 2.”
This pre-authentication flaw allows attackers to craft malicious requests that leak uninitialized reminiscence from affected NetScaler ADC and Gateway units, probably exposing delicate information, together with session tokens, passwords, and configuration values.
The vulnerability has prompted instant safety responses from organizations worldwide, with over 200,000 scanning makes an attempt detected inside days of the proof-of-concept disclosure.
Key Takeaways1. CVE-2025-5777 impacts Citrix NetScaler units, permitting unauthenticated attackers to leak delicate reminiscence information together with session tokens and passwords.2. Over 200,000 scanning makes an attempt have been detected focusing on susceptible endpoints, indicating widespread menace actor exercise.3. Attackers ship crafted requests with giant Consumer-Agent headers to set off steady reminiscence leaks from the identical goal.4. Organizations should instantly patch affected NetScaler variations and implement Akamai’s protecting guidelines because of public exploit availability.
CitrixBleed 2 Vulnerability (CVE-2025-5777)
The CitrixBleed 2 vulnerability stems from improper reminiscence dealing with within the authentication operate of Citrix NetScaler units.
The flaw exploits an uninitialized login variable mixed with insufficient enter validation and lacking error dealing with within the authentication logic.
For the reason that underlying code is written in C/C++, which doesn’t mechanically initialize variables, attackers can entry random stack reminiscence containing leftover information from earlier operations.
The vulnerability impacts a number of NetScaler variations, together with NetScaler ADC and Gateway 14.1 earlier than 14.1-43.56, model 13.1 earlier than 13.1-58.32, NetScaler ADC 13.1-FIPS and NDcPP earlier than 13.1-37.235-FIPS, and NetScaler ADC 12.1-FIPS earlier than 12.1-55.328-FIPS.
The assault targets the URL path /p/u/doAuthentication.do and requires no authentication, making it significantly accessible to menace actors.
Attackers exploit this vulnerability via a scientific strategy involving reconnaissance, enumeration, and repeated exploitation makes an attempt.
The assault begins with scanning for uncovered Citrix NetScaler cases, adopted by model verification to determine susceptible targets.
The precise exploit includes sending crafted POST requests to the /p/u/doAuthentication.do endpoint with an unusually giant Consumer-Agent header containing recognizable patterns.
The approach earned the “CitrixBleed” moniker as a result of attackers can repeatedly set off reminiscence leaks by sending equivalent payloads, with every try exposing new chunks of stack reminiscence.
The outsized Consumer-Agent header injects distinctive markers like “THR-WAF-RESEARCH” into the stack, which subsequently seem inside XML tags in HTTP responses, confirming profitable reminiscence disclosure and revealing delicate data.
Danger FactorsDetailsAffected Merchandise– NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32- NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP- NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPSImpactMemory disclosure of uninitialized stack memoryExploit Stipulations– No authentication required (pre-authentication flaw)- Community entry to focus on NetScaler device- Potential to ship HTTP POST requests- Goal endpoint: /p/u/doAuthentication.do- No prior circumstances or particular privileges neededCVSS 3.1 Score7.5 (Excessive)
Mitigation Measures
Akamai’s safety workforce has responded to the menace by releasing Fast Rule 3000967 via their App & API Protector platform.
Initially deployed with an “Alert” motion on July 7, 2025, the rule was upgraded to “Deny” standing the next day after validation.
Safety researchers noticed vital scanning exercise starting July 8, 2025, with over 200,000 POST requests focusing on the susceptible endpoint throughout a number of hostnames and IP addresses.
This massive-scale scanning represents organized makes an attempt to determine susceptible NetScaler cases for potential exploitation.
Organizations are strongly suggested to patch affected units instantly and implement further monitoring for indicators of compromise, because the vulnerability’s pre-authentication nature and public proof-of-concept availability create substantial threat publicity.
Examine dwell malware conduct, hint each step of an assault, and make quicker, smarter safety selections -> Strive ANY.RUN now
