CVE‑2025‑5777 (“CitrixBleed 2”) is a critical vulnerability in Citrix NetScaler ADC and Gateway appliances that allows unauthenticated attackers to leak memory containing sensitive session data. This post walks through the technical exploitation process, explains how to detect it using real-world tools like YARA, Suricata, and Zeek, and provides remediation and incident response guidance.

🧠 CVSS Breakdown: AV:N/AC:L/PR:N/UI:N/VC:H/VI:H/VA:H/S:C/SI:L/SA:L

• AV:N – Network-based attack vector
• AC:L – Low complexity, easy to exploit
• PR:N – No privileges needed (pre-auth)
• UI:N – No user interaction required
• VC:H / VI:H / VA:H – High confidentiality, integrity, availability impact
• S:C – Scope is changed; exploit affects other components
• SI:L / SA:L – Secondary impacts are low but present

🚨 Vulnerability Summary

• CVE: CVE‑2025‑5777 (“CitrixBleed 2”)
• Product: Citrix NetScaler ADC and Gateway
• Vector: Pre-auth HTTP POST triggers memory over-read
• Endpoint: /p/u/doAuthentication.do
• Disclosure: June–July 2025 (CISA KEV listed)
• CVSS: 9.3 (Critical)

🔬 Exploitation Process

The attacker sends a malformed HTTP POST without an “=” sign to the authentication endpoint:

POST /p/u/doAuthentication.do HTTP/1.1
Host: target-netcaler.company.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 5

login

This results in a 200 OK response that contains garbage stack memory inside the <InitialValue> XML tag:

<InitialValue>�fGADMIN...nsroot...</InitialValue>

Looping these requests can extract:

• Session tokens
• MFA materials
• LDAP credentials
• nsroot tokens

🧰 Detection and Rules

🧪 YARA Rule (For PCAP or HTTP Response Dump Analysis)

rule CitrixBleed2_MemoryLeak_PCAP
{
    meta:
        description = "Detects CitrixBleed 2-style XML memory leak response"
        author = "SOCDFIR"
        reference = "CVE-2025-5777"

    strings:
        $xml_start = ""
        $xml_end = ""
        $garbage = { 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F }

    condition:
        $xml_start and $xml_end and #garbage > 5
}

🌐 Suricata Rule (For Inline IDS/WAF Detection)

alert http any any -> any any (
    msg:"CVE-2025-5777 CitrixBleed2 memory leak exploit attempt";
    flow:to_server,established;
    content:"POST"; http_method;
    uricontent:"/p/u/doAuthentication.do"; nocase;
    content:"login"; http_client_body;
    pcre:"/login[^=]/";
    classtype:web-application-attack;
    sid:20255777; rev:1;
)

📊 Sigma Rule (Log-based Detection via Citrix ns.log or WAF)

title: CitrixBleed2 Memory Leak Attempt
id: 68c05b07-1123-4e4b-a8b1-cb7d31a54ba1
description: Detect potential CitrixBleed2 memory leak exploitation via malformed login POST
status: experimental
logsource:
  product: netscaler
  service: ns.log
detection:
  selection:
    Message|contains: ""
    Message|regex: "[\x00-\x08\x0E-\x19]{10,}"
  condition: selection
level: high

📈 Splunk Query

index=netscaler sourcetype="ns.log"
| search "/p/u/doAuthentication.do" login
| stats count by src_ip
| where count > 50

🕵️ Zeek Custom Script Snippet

event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
{
  if (c$id$resp_p == 443 && stat$uri == "/p/u/doAuthentication.do" && stat$status_code == 200)
  {
    if (stat$body ~ /.*[^\x20-\x7E]+.*<\/InitialValue>/)
      print fmt("Possible CitrixBleed2 exploit from %s", c$id$orig_h);
  }
}

🛡️ Mitigation and Hardening

✅ Patch Versions

• 14.1 → 14.1‑47.46+
• 13.1 → 13.1‑59.19+
• 13.1‑FIPS → 13.1‑37.235‑FIPS+
• 12.1‑FIPS → 12.1‑55.328‑FIPS+

🧯 Post-Patch Actions

kill icaconnection -all
kill pcoipConnection -all

• Rotate admin and service credentials
• Force session expiry and logout
• Harden access to Citrix Gateway (VPN front-end only)

📋 IR Playbook Snippets

• 📁 Search NetScaler logs for excessive malformed POSTs to /doAuthentication.do
• 🔍 Review ICA and RDP sessions for anomalies or MFA-less access
• 🧠 Memory analysis for leaked tokens or credential fragments
• 🔐 Review all admin account creation timestamps
• 📌 Inspect for lateral movement post-compromise (RDP, WMI, SMB)

📚 Suggested Reading & External References

• Picus Security: CVE-2025-5777 Technical Analysis
• Imperva Research: CitrixBleed 2 in the Wild
• ReliaQuest: Threat Spotlight on CVE‑2025‑5777
• CSO Online: CitrixBleed 2 Exploitation in Detail
• NetScaler Official Advisory

⚠️ Final Thoughts

CitrixBleed 2 is a potent and easy-to-exploit vulnerability that should be treated with the same urgency as Log4Shell or ProxyShell. Its ability to bypass MFA and hijack active sessions means defenders must assume active exploitation and immediately apply patches, implement detections, and purge stale sessions.