Hackers Actively Exploiting CitrixBleed 2 Vulnerability in the Wild

Researchers have observed widespread exploitation attempts targeting a critical memory disclosure vulnerability in Citrix NetScaler devices, designated as CVE-2025-5777 and dubbed “CitrixBleed 2.” 

This pre-authentication flaw enables attackers to craft malicious requests that leak uninitialized memory from affected NetScaler ADC and Gateway devices, potentially exposing sensitive data, including session tokens, passwords, and configuration values. 

The vulnerability has prompted immediate security responses from organizations worldwide, with over 200,000 scanning attempts detected within days of the proof-of-concept disclosure.

Key Takeaways
1. CVE-2025-5777 affects Citrix NetScaler devices, allowing unauthenticated attackers to leak sensitive memory data including session tokens and passwords.
2. Over 200,000 scanning attempts were detected targeting vulnerable endpoints, indicating widespread threat actor activity.
3. Attackers send crafted requests with large User-Agent headers to trigger continuous memory leaks from the same target.
4. Organizations must immediately patch affected NetScaler versions and implement Akamai's protective rules due to public exploit availability.

CitrixBleed 2 Vulnerability (CVE-2025-5777)

The CitrixBleed 2 vulnerability stems from improper memory handling in the authentication function of Citrix NetScaler devices. 

The flaw exploits an uninitialized login variable combined with inadequate input validation and missing error handling in the authentication logic. 

Since the underlying code is written in C/C++, which doesn’t automatically initialize variables, attackers can access random stack memory containing leftover data from previous operations.

The vulnerability affects multiple NetScaler versions, including NetScaler ADC and Gateway 14.1 before 14.1-43.56, version 13.1 before 13.1-58.32, NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.235-FIPS, and NetScaler ADC 12.1-FIPS before 12.1-55.328-FIPS. 

The attack targets the URL path /p/u/doAuthentication.do and requires no authentication, making it particularly accessible to threat actors.

Attackers exploit this vulnerability through a systematic approach involving reconnaissance, enumeration, and repeated exploitation attempts. 

The attack begins with scanning for exposed Citrix NetScaler instances, followed by version verification to identify vulnerable targets. 

The actual exploit involves sending crafted POST requests to the /p/u/doAuthentication.do endpoint with an unusually large User-Agent header containing recognizable patterns.

The technique earned the “CitrixBleed” moniker because attackers can repeatedly trigger memory leaks by sending identical payloads, with each attempt exposing new chunks of stack memory. 

The oversized User-Agent header injects distinctive markers like “THR-WAF-RESEARCH” into the stack, which subsequently appear within XML tags in HTTP responses, confirming successful memory disclosure and revealing sensitive information.

Mitigation Measures

Akamai’s security team has responded to the threat by releasing Rapid Rule 3000967 through their App & API Protector platform.

Initially deployed with an “Alert” action on July 7, 2025, the rule was upgraded to “Deny” status the following day after validation.

Security researchers observed significant scanning activity beginning July 8, 2025, with over 200,000 POST requests targeting the vulnerable endpoint across multiple hostnames and IP addresses. 

This large-scale scanning represents organized attempts to identify vulnerable NetScaler instances for potential exploitation. 

Organizations are strongly advised to patch affected devices immediately and implement additional monitoring for indicators of compromise, as the vulnerability’s pre-authentication nature and public proof-of-concept availability create substantial risk exposure.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now