Citrix NetScaler CitrixBleed 2 Session Token Disclosure (CVE-2025-5777)
by win3zz · 2026-05-16
- Severity
- Critical
- CVE
- CVE-2025-5777
- Category
- web
- Affected product
- Citrix NetScaler ADC / NetScaler Gateway login interface
- Affected versions
- Vulnerable builds listed by Citrix advisory CTX693420 (fixed builds vary by release branch)
- Disclosed
- 2026-05-16
- Patch status
- patched
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-5777
- https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
- https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://github.com/win3zz/CVE-2025-5777
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-05-16 |
| Author / Researcher | win3zz |
| CVE / Advisory | CVE-2025-5777 |
| Category | web |
| Severity | Critical |
| CVSS Score | 9.3 (CVSSv4) |
| Status | Weaponized |
| Tags | citrixbleed2, memory-disclosure, session-hijack, NetScaler, Gateway, unauthenticated |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Citrix NetScaler ADC / NetScaler Gateway login interface |
| Versions Affected | Vulnerable builds listed by Citrix advisory CTX693420 (fixed builds vary by release branch) |
| Language / Platform | NetScaler appliance web authentication stack (HTTP/HTTPS) |
| Authentication Required | No |
| Network Access Required | Yes |
Summary
CVE-2025-5777 (“CitrixBleed 2”) is an unauthenticated out-of-bounds memory disclosure in Citrix NetScaler ADC/Gateway authentication processing. A crafted request can leak chunks of process memory that may contain active session tokens and credentials. Because stolen session material can be replayed, exploitation enables account/session hijacking without valid credentials and may bypass MFA.
Vulnerability Details
Root Cause
The vulnerable endpoint returns uninitialized/out-of-bounds memory data when malformed authentication POST input is parsed (notably malformed login parameter handling). Returned XML can include leaked memory bytes inside <InitialValue> values.
Attack Vector
A remote unauthenticated attacker sends repeated crafted POST requests to the authentication endpoint (for example /p/u/doAuthentication.do with malformed form data). The attacker harvests leaked memory fragments from responses and searches for valid NetScaler session material.
Impact
Successful exploitation can disclose session tokens, plaintext credentials, and other sensitive in-memory data. With valid tokens, attackers can hijack authenticated sessions and access protected services without direct credential knowledge.
Environment / Lab Setup
OS: Ubuntu 20.04+ / any Python 3 environment
Target: Authorized Citrix NetScaler ADC/Gateway appliance in vulnerable build range
Attacker: Security testing workstation with network reachability
Tools: Python 3, aiohttp, colorama
Setup Steps
| |
Proof of Concept
Step-by-Step Reproduction
- Confirm authorized scope and identify a reachable NetScaler login endpoint.
- Run the PoC with the target base URL.
- Inspect
<InitialValue>leaks and check for credential/session artifacts across repeated requests.
Exploit Code
See
exploit.pyin this folder.
| |
Expected Output
[+] Found InitialValue:
00000000: 6e 73 63 5f 61 61 61 3d ... nsc_aaa=...
[+] Leak detected! Continuing to extract...
Screenshots / Evidence
screenshots/— add authorized captures of request/response leakage and token extraction workflow
Detection & Indicators of Compromise
SIEM / IDS Rule (example):
alert http any any -> $HOME_NET any (
msg:"Possible CitrixBleed 2 CVE-2025-5777 probe";
flow:to_server,established;
http.method; content:"POST";
http.uri; content:"/p/u/doAuthentication.do";
http.client_body; content:"login";
sid:95255777; rev:1;
)
Remediation
| Action | Detail |
|---|---|
| Patch | Upgrade to Citrix-fixed NetScaler ADC/Gateway builds referenced in CTX693420 |
| Workaround | Restrict external access to management/authentication endpoints and enforce trusted network segmentation |
| Config Hardening | Monitor and invalidate suspicious sessions; review for token theft; apply rapid session rotation after patching |
References
- CVE-2025-5777 — NVD
- Citrix Advisory CTX693420
- watchTowr Labs: CitrixBleed 2 technical analysis
- CISA Known Exploited Vulnerabilities Catalog
- Source Repository — win3zz/CVE-2025-5777
Notes
Auto-ingested from https://github.com/win3zz/CVE-2025-5777 on 2026-05-16.
| |