Under Attack?
Researchers at Watchtowr have released technical details on an exploit for the “CitrixBleed 2” (CVE-2025-5777) vulnerability released on 2025-06-17, leading to the development of a Proof of Concept (PoC) exploit.
A technical breakdown of the vulnerability shows that, in short, supplying the vulnerable authentication endpoint “/p/u/doAuthentication.do” with a modified “login” parameter triggers a memory leak. The resulting request contains the contents of an uninitialized local variable, which due to the behaviour of the compiled code means that contents of the application’s memory are copied and displayed in the body of the HTTP response.
This is important from a security perspective because the application’s memory can contain critical information, including cached login credentials, IP addresses and other sensitive data. Exploitation of this vulnerability can lead to disclosure of this information by remote, unauthenticated threat actors.
The information provided by Watchtowr has informed the development of a PoC exploit by security researcher Guilherme Nocera. The existence of a PoC means that widespread exploitation of vulnerable devices is now highly likely.
The new vulnerability has some relevant similarities to the original (CVE 2023 4966), which are shown below.
|
Product Affected |
Citrix NetScaler ADC & Gateway |
|
Component |
Affects devices configured as Gateway or AAA virtual server |
|
Vulnerability Type |
Out-of-bounds memory read (CWE-125) |
|
Exploitation |
Remote, unauthenticated, no prior access required |
|
Leaked Data |
Can include session tokens, credentials, PII, or internal memory |
|
Attack Result |
Enables session hijacking, MFA bypass, and lateral movement |
|
Exploit Vector |
Involves sending crafted HTTP requests to vulnerable endpoints (/vpn/, /aaa/, etc.) |
|
Mitigation |
Requires patch + session termination (kill icaconnection -all) |
|
Severity |
Both rated CRITICAL (CVSS ≥ 9) |
However, there are some key differences in the nature of the exploit, which also affect detection. The new exploit also allows for leaking of larger arbitrary memory chunks when compared to the previous one.
|
Vulnerability |
CitrixBleed 1 (CVE‑2023‑4966) |
CitrixBleed 2 (CVE‑2025‑5777) |
|
Discovered |
Late 2023 |
July 2025 |
|
Public Exploitation |
Actively exploited before patch disclosure |
Signs of scanning and early exploitation within days of disclosure |
|
Root Cause |
Improper handling of session tokens (session memory exposure through Host: headers and other fields) |
Similar memory exposure but different buffer overrun condition—distinct vulnerable code path |
|
Patch Timeline |
Fixed Oct 2023 |
Fixed July 2, 2025 |
|
Detection Difficulty |
Logs often lacked detail—hard to detect without full memory analysis |
Some logs may show unusual URI patterns so detection is possible |
|
PoC Behavior |
Specific to leaking session IDs and CSRF tokens |
Designed to brute-force memory windows, possibly leaking larger arbitrary memory chunks |
|
Exploit Names |
“CitrixBleed” (coined by Mandiant) |
“CitrixBleed 2” (community-named due to technical resemblance) |
As stated above, there are no mitigations for unpatched devices, so patching to the latest version is highly recommended per our advisory on the vulnerability.
Please refer to our original advisory for guidance on updating any vulnerable devices.
