Summary ; A critical vulnerability identified as CVE-2025-5777 has been discovered in Citrix NetScaler ADC and NetScaler Gateway products configured as Gateway or AAA virtual servers.

The Citrix NetScaler is a networking gadget that delivers application access across distributed enterprise environments.

Originally developed to optimize traffic and improve the performance of web applications, NetScaler has evolved into a comprehensive solution for load balancing, SSL offloading, web application firewalling (WAF), secure remote access, and gateway functionalities such as VPN and ICA proxy for Citrix Virtual Apps and Desktops.

OEM	Citrix
Severity	Critical
CVSS Score	9.3
CVEs	CVE-2025-5777
POC Available	Yes
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview 

This out-of-bounds read flaw enables unauthenticated attackers to leak sensitive memory content, such as session tokens, by sending crafted HTTP POST requests. 

The vulnerability is actively exploited in the wild, with public PoC exploits and scanning tools available. Citrix has released patches, and urgent remediation is strongly recommended. 

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
​ Out-of-bounds read vulnerability	CVE-2025-5777	NetScaler ADC & Gateway	Critical	14.1-43.56,   13.1-58.32, 13.1-FIPS/NDcPP 13.1 37.235, 12.1-FIPS 12.1-55.328

Technical Summary 

CVE-2025-5777 arises from improper input validation during login requests on affected NetScaler devices. An attacker can exploit the flaw by submitting a malformed authentication request (eg. missing an equal sign in a POST login parameter). This leads the system to read uninitialized memory and leak up to 127 bytes of sensitive data. 

Attackers can extract session tokens and bypass multi-factor authentication (MFA) to hijack legitimate user sessions. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-5777	NetScaler ADC & Gateway 14.1 < 14.1-43.56 13.1 < 13.1-58.32 13.1-FIPS/NDcPP < 13.1-37.235 12.1-FIPS < 12.1-55.328 EOL: 12.1, 13.0.	Insufficient input validation allows attackers to trigger a memory leak via malformed authentication requests.	Session hijacking, MFA bypass, unauthorized access

Proof of Concept (PoC): 

• Execution Flow 

Attacker submits a malformed HTTP POST to: 

POST /p/u/doAuthentication.do HTTP/1.0 

Host: <NetScaler-IP> 

Content-Length: 5 

Connection: keep-alive 

login  

(Note: the ‘login’ parameter is included without an ‘=’ or value.) * 

• Memory Leak Trigger 

Due to insufficient input validation, the backend neither initializes nor validates the ‘login’ field. This causes up to 127 bytes of uninitialized stack memory to be included in the XML response ‘<InitialValue>’ tag potentially containing session tokens or sensitive internal data.  

    Source: horizon3 

Remediation: 

• Immediate Action: Upgrade to the latest fixed versions:  – NetScaler ADC & Gateway 14.1-43.56 or later 
  – NetScaler ADC & Gateway 13.1-58.32 or later 
  – NetScaler ADC 13.1-FIPS/NDcPP 13.1-37.235 or later 
   – NetScaler ADC 12.1-FIPS 12.1-55.328 or later 
   – EOL versions (12.1, 13.0) must be upgraded to supported releases. 

Recommendations: 

• Session Invalidation: After patching, terminate all active ICA and PCoIP sessions using: 
    kill icaconnection -all 
    kill pcoipConnection -all. 

• Audit: Review authentication and session logs for suspicious activity, including repeated POST requests and session reuse across unexpected IPs. 

• Upgrade Legacy Systems: Migrate EOL devices to supported versions as they will not receive security fixes. 

Conclusion: 
CVE-2025-5777 (CitrixBleed 2) represents a critical memory leak vulnerability that is being actively exploited, with working public exploits widely circulated.

Attackers can extract session tokens and take over sessions even with MFA in place. Shodan scans reveal over 50,000 exposed NetScaler instances, with more than 1,200 unpatched as of late June 2025 

Given its severity, public exploitation, and impact, organizations must act immediately to patch vulnerable systems, revoke active sessions, and migrate away from unsupported versions.

This vulnerability echoes the risks of the original CitrixBleed, emphasizing the importance of proactive defense in depth. 

References: 

• https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/  

• https://socradar.io/cve-2025-5777-citrixbleed-2-netscaler-gateway-devices/ 

• https://www.bleepingcomputer.com/news/security/public-exploits-released-for-citrixbleed-2-netscaler-flaw-patch-now/   

Hashtags 

#Infosec #CyberSecurity #Critix #NetScaler #SecurityAdvisory #Vulnerabilitymanagement # Patch Management #CISO #CXO #Intrucept