PoC Exploits for CitrixBleed2 Flaw Released – Attackers Can Exfiltrate 127 Bytes Per Request
Security researchers have released proof-of-concept exploits for a critical vulnerability dubbed “CitrixBleed2” affecting Citrix NetScaler ADC and Gateway products.
The vulnerability, tracked as CVE-2025-5777, allows attackers to exfiltrate up to 127 bytes of sensitive data per request, potentially exposing session tokens and user credentials through memory disclosure attacks.
Key Takeaways
1. CVE-2025-5777 affects Citrix NetScaler systems, allowing attackers to extract 127 bytes of sensitive data per request through memory disclosure.
2. Exploits use malformed requests to /p/u/doAuthentication.do endpoint, leaking memory contents, including session tokens and credentials.
3. Expose administrative "nsroot" tokens and capture credentials from legitimate users sharing the same memory space.
4. Apply June 2025 patches, terminate active sessions, monitor logs for anomalies, and audit configurations for unauthorized changes.
Memory Disclosure Vulnerability
The CitrixBleed2 vulnerability stems from improper memory management in the NetScaler Packet Parsing Engine (nsppe binary), which handles NetScaler Gateway features and AAA authentication mechanisms.
Research analysis of patch diffs revealed new cleanup sections that zero out buffers and memory regions related to HTTP request data before reusing them.
According to Horizon3.ai Report, the vulnerability specifically targets the /p/u/doAuthentication.do endpoint, which processes login requests in a standard format.
The critical flaw occurs when the code path successfully parses a login form key but doesn’t validate whether associated form values are present.
This causes the param_2 structure to point to adjacent memory, which becomes null-terminated within the function, allowing attackers to leak exactly 127 bytes of arbitrary data.
The exploit leverages malformed authentication requests with missing form values, causing the system to reflect unintended memory contents in responses.
This memory space is shared across different user sessions and administrative interfaces, making it possible to capture legitimate user session tokens and plaintext credentials from concurrent users.
| Risk Factors | Details |
| Affected Products | – NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-43.56- NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-58.32- NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.235-FIPS and NDcPP- NetScaler ADC 12.1-FIPS prior to 12.1-55.328-FIPS |
| Impact | Memory disclosure allowing extraction of up to 127 bytes per request |
| Exploit Prerequisites | – Network access to vulnerable NetScaler endpoint- Access to /p/u/doAuthentication.do endpoint- Ability to send malformed HTTP requests with missing form values- No authentication required for exploitation |
| CVSS 3.1 Score | 9.1 (Critical) |
Affected Versions
The vulnerability affects multiple NetScaler product versions released before specific patches in June 2025.
Affected systems include NetScaler ADC and Gateway 14.1 prior to 14.1-43.56, version 13.1 prior to 13.1-58.32, and various FIPS-enabled versions.
The scope extends beyond regular user endpoints to configuration utilities used by administrators, potentially exposing high-privilege “nsroot” session tokens.
Researchers demonstrated the exploit’s effectiveness by continuously polling the vulnerable endpoint while legitimate users accessed the system.
The attack successfully captured session tokens belonging to administrative users, including nsroot credentials that provide complete control over NetScaler ADC instances.
The vulnerability also exposes plaintext credentials from legitimate login requests processed through the same memory space.
Mitigation Strategies
Organizations can identify potential exploitation attempts by monitoring for log entries containing non-printable characters in ns.log files when debug logging is enabled.
CISA has added related vulnerability CVE-2025-6543 to their Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
Recommended mitigation steps include immediately applying available patches, terminating existing ICA and PCoIP sessions, and auditing active sessions for anomalous activity such as single users accessing from multiple IP addresses.
System administrators should compare current configurations against known good backups using diff utilities to identify unauthorized changes, particularly the addition of backdoor accounts.
The vulnerability’s similarity to the original CitrixBleed (CVE-2023-4966) suggests similar post-exploitation tactics may be employed, including configuration modifications and persistence mechanisms installation.
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
Source link
