CitrixBleed 2 CVE-2025-5777: Active Exploitation and Risks

Updated: July 15, 2025

Background and Timeline

On June 17, 2025, Citrix released security bulletin CXA-2025-06 addressing CVE-2025-5777, a high-severity (CVSS 9.2) memory‐disclosure bug in NetScaler ADC and NetScaler Gateway appliances. Nine days later the vendor stated it was “currently unaware of any evidence of in-the-wild exploitation.” Contrary to that advisory, telemetry from multiple independent sources indicates that threat actors began weaponizing the flaw as early as June 23, 2025.

How CitrixBleed 2 Works

CitrixBleed 2 reintroduces the memory‐leak pattern first seen in CVE-2023-4966 (“CitrixBleed”), which in 2023 impacted over 20,000 servers worldwide. Attackers send a flood of malformed doAuthentication.do requests over HTTPS. Due to an off‐by‐one error in the ns_s_ike_packet.c parsing routine, each crafted request causes the device to “bleed” small blocks of heap memory back to the client.

1. Attacker sends repeated authentication requests with deliberately truncated headers.
2. NetScaler ADC leaks ~16–64 bytes of memory per request.
3. By aggregating responses, the attacker reconstructs session tokens and admin credentials.

Evidence of Active Exploitation

Security firm GreyNoise reported anomalous traffic patterns to honeypots mimicking NetScaler appliances beginning July 1. Independent researcher Kevin Beaumont corroborated these findings, tracing similar exploitation attempts back to June 23 via telemetry from globally distributed honeypot sensors. Exploit activity consistently targets TCP port 443 and leverages HTTP/1.1 pipelining to accelerate memory-disclosure sampling at a rate of thousands of requests per hour.

Impacted Versions and Patch Details

• NetScaler ADC < 14.1-61.21
• NetScaler Gateway < 13.0-90.22
• Fixed in 14.1-61.22, 13.0-90.23 and later

Citrix also released CLI scripts to automate patch verification and a hotfix installer for environments running nsroot in UEFI mode.

Mitigation and Response Strategies

Beyond patching, organizations should:

• Inspect Web Application Firewall (WAF) logs for high-volume doAuthentication.do requests missing the nsgwd-cookie header.
• Deploy IPS signatures that detect anomalous NS code‐page reads.
• Enable Secure Boot and HMAC verification on appliance firmware to guard against post‐exploit persistence.
• Conduct memory forensics to recover pre-patched heap dumps for indicators of compromise (IoCs).

“Merely applying the patch isn’t sufficient. Defenders must validate whether credential material has already been siphoned,” said Dr. Emily Fu, lead researcher at Horizon3.ai.

Technical Deep Dive: Memory Leak Mechanism

In affected NetScaler builds, parse_auth_request() fails to zero‐out an internal char buf[128] buffer on error. Attackers exploit this by sending requests with Content-Length mismatches, triggering partial reads that echo residual heap contents. Detailed reverse engineering shows that the leaked data often includes portions of struct session_admin and session_token objects in memory, simplifying credential reconstruction.

Implications for Enterprise Security Posture

CitrixBleed 2 highlights the ongoing risk in appliance‐based network services. Many enterprises treat ADCs as “set-and-forget” infrastructure, delaying regular firmware reviews. Given the role of NetScaler in global load balancing, any compromise can facilitate lateral movement, data exfiltration, and supply-chain attacks.

Expert Recommendations

• Anton Chuvakin, SANS Institute: “Maintain an asset inventory that tracks appliance firmware versions and schedule quarterly vulnerability scans.”
• Jessica Barker, CISO Council: “Invest in robust MFA solutions that can detect and throttle abnormal authentication patterns, not just rely on static tokens.”

Conclusion

CitrixBleed 2 demonstrates that memory‐disclosure bugs remain a critical attack vector against network appliances. Organizations running NetScaler must apply the June 17 patch immediately, review WAF and IPS telemetry for signs of prior exploitation, and adopt continuous firmware validation practices to prevent similar incidents.