A working proof-of-concept exploit for CVE-2025-5777, a critical memory disclosure vulnerability affecting Citrix NetScaler products that has been dubbed “CitrixBleed 2” due to its similarities to the notorious CVE-2023-4966 vulnerability.
The exploit allows attackers to exfiltrate 127 bytes of arbitrary memory data per request, potentially exposing sensitive session tokens and plaintext credentials from legitimate user login attempts.
On June 17, 2025, Citrix published security advisories detailing multiple vulnerabilities including CVE-2025-5777 and CVE-2025-5349, followed by CVE-2025-6543 on June 25, 2025.
The affected products include NetScaler ADC and NetScaler Gateway versions 14.1 prior to 14.1-43.56, 13.1 prior to 13.1-58.32, and various FIPS versions.
While Citrix claims they have not observed evidence of CVE-2025-5777 being exploited in the wild, other security firms dispute this assessment.
However, CVE-2025-6543 has been confirmed as actively exploited, prompting CISA to add it to their Known Exploited Vulnerabilities catalog.
The vulnerability stems from inadequate memory cleanup in the NetScaler Packet Parsing Engine (nsppe) binary, which handles NetScaler Gateway features and authentication mechanisms.
Security researchers discovered that patch diffs revealed new cleanup sections designed to zero out buffers and memory regions related to HTTP request data before reuse.
Despite these cleanup efforts, the vulnerability persists in specific code paths that only require successful parsing of login form keys, regardless of whether associated form values are present.
CitrixBleed2 Vulnerabilities
The proof-of-concept exploit targets the /p/u/doAuthentication.do endpoint, which processes login requests and reflects user-supplied login values in responses.
By manipulating requests with missing form values, attackers can trigger memory disclosure that exposes up to 127 bytes of adjacent memory content.
This leaked memory often contains highly sensitive information including session tokens for both regular users and administrative accounts.
Demonstration videos show attackers successfully capturing legitimate user session tokens by repeatedly polling the vulnerable endpoint while users refresh their browsers.
The attack becomes particularly dangerous when targeting administrative interfaces, as researchers successfully obtained session tokens belonging to the “nsroot” user account, which provides complete control over the Citrix NetScaler ADC instance.
Additionally, the exploit can capture plaintext credentials from legitimate login requests, as the vulnerable memory space is shared across different user sessions and administrative functions.
Detection Challenges
The sparse technical details in vendor advisories create significant challenges for security teams attempting to detect exploitation attempts.
Citrix’s limited disclosure has left organizations struggling to identify whether they have been compromised, even after applying patches.
Security researchers recommend monitoring for several indicators including log entries containing non-printable characters, particularly in debug logging configurations where ns.log may contain evidence of memory disclosure attempts.
Organizations should audit active sessions for anomalies such as single user accounts being accessed from multiple IP addresses simultaneously, which could indicate session token theft.
The vulnerability’s similarity to the original CitrixBleed attack suggests that threat actors may employ similar post-exploitation techniques including creating backdoor accounts, modifying configurations with persistence mechanisms, and installing remote access tools.
System administrators should compare current running configurations against known good backups using diff utilities to identify unauthorized modifications.
Given the critical nature of these vulnerabilities and the active exploitation of CVE-2025-6543, immediate patching and comprehensive security auditing are essential for protecting NetScaler deployments.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
