Splunk Details on How to Detect, Mitigate and Respond to CitrixBleed 2 Attack

CitrixBleed 2 (CVE-2025-5777) erupted in 2025 when researchers uncovered an out-of-bounds read in Citrix NetScaler ADC and Gateway that lets an unauthenticated request siphon memory straight from the appliance.

The flaw is triggered by a malformed POST sent to /p/u/doAuthentication.do, leaking session cookies, MFA tokens, and even plaintext passwords to anyone who asks—no exploit chain required.

By 10 July, CISA elevated the bug to its Known Exploited Vulnerabilities catalog, confirming that opportunistic ransomware crews and state actors had already weaponized it in the wild.

GreyNoise telemetry shows scanning began on 1 July, nine days before Citrix published full technical guidance, and Censys counts roughly 70,000 NetScaler instances reachable on the public Internet, a stark reminder of the attack surface at stake.

Splunk analysts noted a sharp uptick in suspicious 200-byte responses containing binary junk and XML tags that match the leak pattern, often followed within minutes by successful VPN logins from unexpected geolocations.

Their research emphasises that hijacked sessions remain valid until explicitly terminated, so patch-then-kill is mandatory, not optional.

The impact is immediate: stolen NSC_USER and NSC_TASS cookies can be replayed to bypass MFA, pivot inside networks, and drop ransomware or remote‐access implants.

Federal agencies had to patch to 14.1-43.56 or 13.1-58.32 by late July, yet even rapid responders face forensics challenges because leaked memory can reveal administrator tokens for the entire appliance.

Against this backdrop, Splunk’s Threat Research Team has published an analytic story and accompanying Technical Add-on that parse NetScaler audit logs, enrich them with CIM fields, and surface exploitation attempts in real time.

This attack flow maps the single-packet trigger to the session hijack sequence, underscoring how little attacker effort is needed once the parser mis-handles the login parameter.

Infection Mechanism: Memory Leakage and Session Reuse

Under the hood, CitrixBleed 2 is a textbook case of CWE-457. When the login parameter is supplied without an equals sign or value, the authentication handler allocates a buffer and prints uninitialised data into an XML “ element.

The attacker’s request resembles the following:-

POST /p/u/doAuthentication.do HTTP/1.1
Host: victim.gateway
Content-Length: 5

login

NetScaler dutifully replies with something like:-

É|¼C÷PkÓßYsa5ÊÞÅÐ^Ð|@ºJZõ¶@¹^ì¶Uã7Kèg NSC_USER=8d3f2a1b;NSC_TASS=a4

From here, the adversary simply replays the exposed cookies:-

GET /vpn/index.html HTTP/1.1
Host: victim.gateway
Cookie: NSC_USER=8d3f2a1b; NSC_TASS=a4

Splunk’s detection hinges on spotting that malformed POST as well as any NetScaler response containing non-printable bytes sandwiched between XML tags.

The team’s SPL query below counts how many distinct sources attempted the exploit and flags successful memory disclosure:-

index=netscaler sourcetype=citrix:netscaler:audit
| where uri="/p/u/doAuthentication.do" AND method="POST"
  AND (match(request_body,"login\s*$") OR match(request_body,"login[^=]"))
| stats count values(src_ip) min(_time) max(_time)

When hits appear, responders must first upgrade the appliance, then purge every live VPN and ICA session with kill vpn -all and kill icaconnection -all before rotating credentials and combing logs for lateral-movement artifacts.

With exploit code already circulating, those steps are the difference between a contained incident and a domain-wide compromise.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now