Article Details

CitrixBleed 2 exploits are on the loose as security researchers yell and wave their hands. NetScaler vendor issued a patch but otherwise, stony silence. Multiple exploits are circulating for CVE-2025-5777, a critical bug in Citrix NetScaler ADC and NetScaler Gateway dubbed CitrixBleed 2, and security analysts are warning a "significant portion" of users still haven't patched. CVE-2025-5777 is a 9.3 CVSS-rated security flaw that allows remote, unauthenticated attackers to read sensitive info — such as session tokens — in memory from NetScaler devices configured as a gateway (such as a VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Miscreants can abuse this vuln to bypass multi-factor authentication (MFA), hijack user sessions, and access critical systems. The vendor disclosed and issued a patch for CVE-2025-5777 last month, but despite multiple reports indicating in-the-wild exploitation, plus proof-of-concept (POC) exploits, Citrix still hasn't responded to The Register's inquiries about the bug and the scope of the attacks. It all sounds very similar to an earlier flaw, dubbed CitrixBleed, which also allowed attackers to access a device's memory, find session tokens, and then use those to impersonate an authenticated user while bypassing MFA, despite Citrix's insistence that the two are not related. CitrixBleed was widely exploited by nation-state spies and ransomware groups. So CitrixBleed 2 is not a security hole that organizations want to leave open. However, a "significant portion of the Citrix NetScaler user base … have still not patched" CVE-2025-5777, according to watchTowr Labs researchers. On Friday, the team released their vulnerability analysis and POC, and told The Register that the bug is "trivial" to exploit. "​​Previously, we stated that we had no intention to release this vulnerability analysis," the researchers noted. However, "minimal" information sharing about the flaw "puts these users in a tough position when determining if they need to sound an internal alarm," the watchTowr bug hunters said, noting that the technical write-up and POC can help defenders, and not just "bad people," identify vulnerable systems. Then on Monday, another security firm, Horizon3.ai, published its own working exploit, and Wiz researchers warned "by now threat actors are likely to be including it in their toolkits as well." Of course, there's nothing to stop bad people from using any of these for POCs for nefarious purposes, so please follow Citrix's recommendations ASAP. The exploit works like this. First, an attacker sends a specially crafted HTTP request with a missing login value to the Citrix Gateway login endpoint. Because the value for the login parameter is missing, the server responds with whatever data was in memory. As watchTowr explains: "when the input is partially formed or missing, the backend doesn't safely zero out or initialize the corresponding memory, and we end up leaking whatever residual data happened to occupy that memory space." By sending repeated requests to the endpoint, an attacker can potentially force the vulnerable device to leak session tokens in memory, and then use these to hijack sessions. During its test, watchTowr notes, no cookies, session IDs, or passwords were found in the leaked data. But, "since this is a memory leak and inherently non-deterministic, there's always a chance that running the tool for a longer period might eventually surface something more valuable." "Or to be clearer," the watchTowr analysis continues, "we believe, for reasons, that 'production' environments with VPN connections established would allow us to more trivially see sensitive information within captured memory leaks."