127 Bytes Exfiltrated Per Request

127 Bytes Exfiltrated Per Request

Security researchers have released proof-of-concept exploits for CVE-2025-5777, a critical vulnerability in Citrix NetScaler ADC and Gateway devices dubbed “CitrixBleed2.”

The flaw allows unauthenticated attackers to extract sensitive data from device memory, including session tokens that can be used to bypass multi-factor authentication.

Vulnerability Details and Impact

CVE-2025-5777 is a memory disclosure vulnerability with a CVSS score of 9.3 that affects NetScaler devices configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual servers.

The vulnerability stems from insufficient input validation in HTTP POST request processing, specifically when malformed login requests are submitted without proper parameters.

The exploit works by targeting the /p/u/doAuthentication.do endpoint with specially crafted requests where the login parameter is sent without an equal sign or value.

Leaked memory

This causes the NetScaler appliance to respond with approximately 127 bytes of arbitrary memory data per request, which can include session tokens, credentials, and other sensitive information.

Proof-of-Concept Exploits Released

Two security firms have published working exploits demonstrating the vulnerability’s severity:

watchTowr Labs initially released a vulnerability analysis and proof-of-concept on July 4, 2025, after observing that “a significant portion of the Citrix NetScaler user base” had not yet patched the vulnerability.

Their analysis shows how attackers can repeatedly query vulnerable endpoints to extract memory contents using simple HTTP requests.

Horizon3.ai published a more detailed exploit on July 7, 2025, demonstrating successful extraction of legitimate user session tokens from NetScaler memory.

Their research shows that attackers can capture tokens belonging to both regular users and administrative accounts, including the “nsroot” user for entire NetScaler instances.

The vulnerability exploits a flaw in the snprintf function implementation with the %.*s format string. When a login request is submitted without proper formatting, the system responds with uninitialized memory contents up to the first null character.

GUI locations for monitoring connections and active sessions
GUI locations for monitoring connections and active sessions

Attackers can automate this process by repeatedly sending malformed requests to slowly “bleed” memory contents until valuable data is extracted.

Each request yields approximately 127 bytes of data, and successful exploitation can reveal session tokens that allow complete system access while bypassing MFA protections.

Multiple security firms have reported evidence of active exploitation since mid-June 2025. 

ReliaQuest stated with “medium confidence” that attackers are actively exploiting CVE-2025-5777 to gain initial access to targeted environments.

While Citrix initially denied evidence of exploitation, the consensus among security researchers is that the vulnerability is being actively targeted.

Affected Systems and Patching

The vulnerability affects the following NetScaler versions:

  • NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-43.56
  • NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-58.32
  • NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.235-FIPS and NDcPP
  • NetScaler ADC 12.1-FIPS prior to 12.1-55.328-FIPS

Security researchers warn that CitrixBleed2 could follow a similar exploitation pattern to the original CitrixBleed vulnerability (CVE-2023-4966), which was extensively exploited by ransomware groups including LockBit 3.0 and nation-state actors.

The vulnerability enables attackers to establish persistent access, add backdoor accounts, and modify system configurations.

Organizations should monitor for unusual session activity, including single users accessing systems from multiple IP addresses and sessions with abnormally long durations. Log entries containing non-printable characters may also indicate exploitation attempts.

Citrix has released patches for all affected versions, and organizations are urged to apply updates immediately as no workarounds or mitigations are available.

After patching, administrators should terminate all active ICA and PCoIP sessions and audit existing user sessions for suspicious activity.

Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.


Source link