Full Report
CitrixBleed 2: Electric Boogaloo — CVE-2025–5777Remember CitrixBleed, the vulnerability where a simple HTTP request would dump memory, revealing session tokens? CVE-2023–4966It’s back like Kanye West returning to Twitter about two years later, this time as CVE-2025–5777.another high quality vulnerability logoYou may have missed it, as the original CVE on 17th June 2025 referred to the “Netscaler Management Interface”, which you shouldn’t expose to the internet.However, last night the CVE was updated to remove the Management Interface from the description:oopsThe vulnerability allows an attacker to read memory from the Netscaler when configured as a Gateway or AAA virtual server — think remote access via Citrix, RDP etc. It’s an extremely common setup in large organisations.Example Shodan search: http.favicon.hash:-1292923998,-1166125415The POWAH of Shodan!The memory may include sensitive information. Session tokens can be replayed to steal Citrix sessions, bypassing MFA. That was the problem with CitrixBleed.look ma i’m on CWEThe vulnerability is exploitable remotely and without authentication.CVSS pr0nCitrix also say:Additionally, we recommend running the following commands to terminate all active ICA and PCoIP sessions after all NetScaler appliances in the HA pair or cluster have been upgraded to the fixed builds.:kill icaconnection -allkill pcoipConnection -allPlease ensure that the formatting remains intact as you copy and paste these commands.With CitrixBleed, they also recommended you terminate active sessions after patching.What you should doCalmly identify internet exposed Citrix Netscaler boxes, apply the patches and terminate sessions — ideally as soon as possible.With Shodan you can run a search like org:YourOrg http.favicon.hash:-1292923998,-1166125415or ssl:YourOrg html:CitrixHas this been exploited in the wildCitrix say not yet. However, with CitrixBleed, they said the same thing:Since there is currently no detection guidance, I would recommend organisations patch, unless they want to become the detection in the wild after a security incident.Who discovered the vulnerabilityCitrix credit Positive Technologies and ITA MOD CERT (CERTDIFESA) for two different CVEs — it is unclear who discovered CVE-2025–5777 specifically.UpdatesYou can follow me for updates on Mastodon if you’re really bored, where I said this was coming last week:https://cyberplace.social/invite/BeKU6RCGCitrixBleed 2: Electric Boogaloo — CVE-2025–5777 was originally published in DoublePulsar on Medium, where people are continuing the conversation by highlighting and responding to this story.
Analysis Summary
# Vulnerability: CitrixBleed 2 (Memory Leak on NetScaler)
## CVE Details
- CVE ID: CVE-2025–5777
- CVSS Score: Not explicitly provided in text (Likely High, based on predecessor CVE-2023-4966 and impact)
- CWE: Not explicitly provided, likely related to Information Exposure.
## Affected Systems
- Products: Citrix NetScaler (now known as Citrix ADC/Gateway)
- Versions: Unspecified, but applies where the Gateway or AAA virtual server is configured.
- Configurations: Vulnerable when configured as a Gateway or AAA virtual server, allowing memory reading. The vulnerability was initially misreported as only affecting the "Netscaler Management Interface."
## Vulnerability Description
This vulnerability (likened to CVE-2023-4966, CitrixBleed) allows an unauthenticated, remote attacker to read sensitive information from the memory of a NetScaler appliance. This memory leak can expose sensitive data, most notably session tokens.
## Exploitation
- Status: Citrix has stated it is **not yet** exploited in the wild, but historical context suggests rapid exploitation follows public disclosure.
- Complexity: **Low** (Exploitable remotely and without authentication via a simple HTTP request, similar to the original CitrixBleed).
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: **High** (Session tokens can be stolen, allowing replay attacks to hijack user sessions).
- Integrity: **Medium/High** (Session hijacking allows actions to be performed by the attacker, bypassing MFA).
- Availability: Negligible (The vulnerability itself focuses on information disclosure, not service disruption).
## Remediation
### Patches
- Specific patch versions are **not listed** in the summary, but immediate application of vendor-released patches for CVE-2025–5777 is mandatory.
### Workarounds
1. **Apply Patches:** Upgrade all NetScaler appliances in an HA pair or cluster to the fixed builds.
2. **Terminate Active Sessions (Post-Patch):** Immediately after patching, execute the following commands on *all* appliances in the cluster/HA pair to invalidate any potentially compromised session tokens:
kill icaconnection -all
kill pcoipConnection -all
## Detection
- **Indicators of Compromise (IOCs):** None explicitly provided, as Citrix has not released detection guidance.
- **Detection methods and tools:** Organizations should prioritize patching immediately rather than waiting for detection signatures. Shodan searches can help identify internet-exposed devices:
* `org:YourOrg http.favicon.hash:-1292923998,-1166125415`
* `ssl:YourOrg html:Citrix`
## References
- Vendor Advisory Link (Defanged): hxxps://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
- Author Mastodon Update (Defanged): hxxps://cyberplace.social/invite/BeKU6RCG