Full Report
Researchers have released proof-of-concept (PoC) exploits for a critical Citrix NetScaler vulnerability, tracked as CVE-2025-5777 and dubbed CitrixBleed2, warning that the flaw is easily exploitable and can successfully steal user session tokens. [...]
Analysis Summary
# Vulnerability: Citrix NetScaler Memory Disclosure Vulnerability (CitrixBleed 2)
## CVE Details
- CVE ID: CVE-2025-5777 (Inferred, as only one CVE is explicitly mentioned as patched)
- CVSS Score: Not explicitly provided in the text.
- CWE: Not explicitly provided in the text.
## Affected Systems
- Products: Citrix NetScaler (Specific product names not fully detailed, but implies gateway functionality)
- Versions: Vulnerable versions for CVE-2025-5777 are not listed, only that patches are available.
- Configurations: Implicated in environments using ICA/PCoIP sessions.
## Vulnerability Description
The vulnerability is a security flaw in Citrix NetScaler that allows an unauthenticated attacker to potentially dump memory, leading to session hijacking, similar to the previous "CitrixBleed" findings. Attackers can leverage this bug by manipulating request parameters to read sensitive information from the application's memory space.
## Exploitation
- Status: Exploited in the wild (actively exploited since mid-June according to researcher Kevin Beaumont).
- Complexity: Implied to be Low, as public exploits are available.
- Attack Vector: Network (implied, targeting NetScaler)
## Impact
- Confidentiality: High (Memory dumping and session hijacking implies access to sensitive data).
- Integrity: High (Session hijacking allows for impersonation).
- Availability: Unknown/Not the primary focus, but exploitation could disrupt service.
## Remediation
### Patches
- Patches released by Citrix for CVE-2025-5777. All organizations are urged to apply them immediately.
### Workarounds
- Terminate all active ICA and PCoIP sessions.
- Review existing sessions for any suspicious activity *before* termination.
## Detection
- **Indicators of Compromise (IOCs)** (Reported by Kevin Beaumont):
- In NetScaler logs, repeated POST requests to `doAuthentication`, where each yields 126 bytes of RAM.
- In NetScaler logs, requests to `doAuthentication.do` with `"Content-Length: 5"`.
- In NetScaler user logs, lines containing `LOGOFF` where `user = "*#*"` (i.e., the hash symbol `#` appears in the username field, indicating RAM being written to the wrong field).
- **Detection methods and tools**: Review NetScaler access and user logs for the specific patterns listed above.
## References
- Vendor Advisories: Citrix (Implied, as they released patches for CVE-2025-5777)
- Relevant links:
- bleepingcomputer.com/news/security/public-exploits-released-for-citrixbleed-2-netscaler-flaw-patch-now/
- infosec.exchange/@[email protected]/114811856550190017 (Researcher dispute/details)