Cybersecurity teams worldwide are grappling with a critical infrastructure vulnerability that poses a significant threat to enterprise networks globally.
CVE-2025-5777, dubbed “CitrixBleed 2,” represents a dangerous out-of-bounds memory read vulnerability in Citrix NetScaler ADC and Gateway devices that has been added to CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
The Splunk Threat Research Team has released comprehensive detection strategies and mitigation guidance to help organizations defend against this emerging threat.
Technical Mechanics and Exploitation Patterns
CVE-2025-5777 stems from insufficient input validation in NetScaler ADC and Gateway products, earning a critical CVSS score of 9.3.
The vulnerability occurs when authentication handlers process specially crafted HTTP POST requests to /p/u/doAuthentication.do with malformed login parameters.
Security researchers have observed that attackers can trigger memory leaks by sending requests containing only “login” without proper structure, causing the backend to return uninitialized memory content instead of properly initialized variables.
The exploitation process is remarkably straightforward, requiring only a single HTTP request that can expose sensitive data including session cookies, authentication tokens, credentials, and administrative access tokens.
This leaked information enables attackers to hijack authenticated sessions and bypass multi-factor authentication controls entirely.
GreyNoise researchers have documented attack activity dating back to July 1st, 2025, with one IP address previously linked to the RansomHub ransomware group.
Splunk’s Detection and Response Framework
Splunk’s Threat Research Team has developed a comprehensive analytic story specifically targeting CitrixBleed 2 exploitation activities.
Their detection methodology focuses on monitoring POST requests to the vulnerable endpoint with malformed parameters, identifying authentication anomalies, and detecting patterns of session hijacking.
Key detection queries include monitoring for requests containing login parameters without proper structure, tracking users accessing NetScaler services from multiple distinct IP addresses, and identifying abnormally high volumes of authentication requests from single sources.
The team emphasizes that effective detection requires specific NetScaler logging configuration that is not enabled by default, including debug logging for authentication responses and detailed session logging.
Critical Mitigation Strategies
Immediate response actions include applying official patches to upgrade NetScaler ADC and Gateway to versions 14.1-43.56, 13.1-58.32, or their FIPS equivalents.
However, patching alone is insufficient – organizations must terminate all active sessions using commands like kill icaconnection -all and kill vpn -all to prevent continued abuse of previously stolen session tokens.
Network defenders can implement signature-based detection using Snort rule SID 65120, which identifies malformed HTTP POST requests targeting the vulnerable endpoint.
With nearly 70,000 exposed NetScaler instances detected online and confirmed active exploitation by threat actors, organizations cannot afford to delay response efforts against this critical infrastructure vulnerability.
