Safety researchers have launched proof-of-concept exploits for a vital vulnerability dubbed “CitrixBleed2” affecting Citrix NetScaler ADC and Gateway merchandise.
The vulnerability, tracked as CVE-2025-5777, permits attackers to exfiltrate as much as 127 bytes of delicate knowledge per request, probably exposing session tokens and consumer credentials by means of reminiscence disclosure assaults.
Key Takeaways1. CVE-2025-5777 impacts Citrix NetScaler techniques, permitting attackers to extract 127 bytes of delicate knowledge per request by means of reminiscence disclosure.2. Exploits use malformed requests to /p/u/doAuthentication.do endpoint, leaking reminiscence contents, together with session tokens and credentials.3. Expose administrative “nsroot” tokens and seize credentials from authentic customers sharing the identical reminiscence area.4. Apply June 2025 patches, terminate energetic classes, monitor logs for anomalies, and audit configurations for unauthorized modifications.
Reminiscence Disclosure Vulnerability
The CitrixBleed2 vulnerability stems from improper reminiscence administration within the NetScaler Packet Parsing Engine (nsppe binary), which handles NetScaler Gateway options and AAA authentication mechanisms.
Analysis evaluation of patch diffs revealed new cleanup sections that zero out buffers and reminiscence areas associated to HTTP request knowledge earlier than reusing them.
In line with Horizon3.ai Report, the vulnerability particularly targets the /p/u/doAuthentication.do endpoint, which processes login requests in a regular format.
The vital flaw happens when the code path efficiently parses a login type key however doesn’t validate whether or not related type values are current.
This causes the param_2 construction to level to adjoining reminiscence, which turns into null-terminated inside the operate, permitting attackers to leak precisely 127 bytes of arbitrary knowledge.
The exploit leverages malformed authentication requests with lacking type values, inflicting the system to replicate unintended reminiscence contents in responses.
This reminiscence area is shared throughout completely different consumer classes and administrative interfaces, making it attainable to seize authentic consumer session tokens and plaintext credentials from concurrent customers.
Threat FactorsDetailsAffected Merchandise– NetScaler ADC and NetScaler Gateway 14.1 previous to 14.1-43.56- NetScaler ADC and NetScaler Gateway 13.1 previous to 13.1-58.32- NetScaler ADC 13.1-FIPS and NDcPP previous to 13.1-37.235-FIPS and NDcPP- NetScaler ADC 12.1-FIPS previous to 12.1-55.328-FIPSImpactMemory disclosure permitting extraction of as much as 127 bytes per requestExploit Conditions– Community entry to weak NetScaler endpoint- Entry to /p/u/doAuthentication.do endpoint- Capability to ship malformed HTTP requests with lacking type values- No authentication required for exploitationCVSS 3.1 Score9.1 (Essential)
Affected Variations
The vulnerability impacts a number of NetScaler product variations launched earlier than particular patches in June 2025.
Affected techniques embody NetScaler ADC and Gateway 14.1 previous to 14.1-43.56, model 13.1 previous to 13.1-58.32, and numerous FIPS-enabled variations.
The scope extends past common consumer endpoints to configuration utilities utilized by directors, probably exposing high-privilege “nsroot” session tokens.
Researchers demonstrated the exploit’s effectiveness by constantly polling the weak endpoint whereas authentic customers accessed the system.
The assault efficiently captured session tokens belonging to administrative customers, together with nsroot credentials that present full management over NetScaler ADC situations.
The vulnerability additionally exposes plaintext credentials from authentic login requests processed by means of the identical reminiscence area.
Mitigation Methods
Organizations can establish potential exploitation makes an attempt by monitoring for log entries containing non-printable characters in ns.log recordsdata when debug logging is enabled.
CISA has added associated vulnerability CVE-2025-6543 to their Recognized Exploited Vulnerabilities catalog, indicating energetic exploitation within the wild.
Beneficial mitigation steps embody instantly making use of obtainable patches, terminating present ICA and PCoIP classes, and auditing energetic classes for anomalous exercise corresponding to single customers accessing from a number of IP addresses.
System directors ought to evaluate present configurations in opposition to identified good backups utilizing diff utilities to establish unauthorized modifications, notably the addition of backdoor accounts.
The vulnerability’s similarity to the unique CitrixBleed (CVE-2023-4966) suggests comparable post-exploitation ways could also be employed, together with configuration modifications and persistence mechanisms set up.
Unique Webinar Alert: Harnessing Intel® Processor Improvements for Superior API Safety – Register for Free
