CitrixBleed-2 (CVE-2025-5777) – proof-of-concept exploit for NetScaler ADC/Gateway “memory bleed”# CVE-2025-5777-CitrixBleed
CitrixBleed-2 (CVE-2025-5777) – proof-of-concept exploit for NetScaler ADC/Gateway “memory bleed”
CVE-2025-5777 is a critical unauthenticated out-of-bounds read in Citrix NetScaler ADC/Gateway (Gateway or AAA vServer mode). A single crafted request can dump memory containing session tokens, enabling full authentication bypass—earning the nickname “CitrixBleed 2.”
Patched builds were published on 17 June 2025:
- NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP
- NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS
No official mitigations exist for unpatched systems.
# Disclaimer
The information provided on this Github repository is for educational purposes only. All information on this Github is provided in good faith, however I make no representation or warranty of any kind, express or implied, regarding the accuracy, adequacy, validity, reliability, availability, or completeness of any information. This code is released for educational and defensive purposes only. Before testing, confirm that you own the target or have explicit permission. The PoC leaks live memory; run it on test appliances whenever possible.
# Getting Started
## Requirements
This script requires the use of Python3 and the urllib library
If you want to test the vulnerability do so on your (non production) systems only
```python
python CVE-2025-5777.py <target.host>
```
# Log analysis of CVE-2025-5777
The script `ns_log_scanner.py` can be used to detect any characters **outside** of the HEX-range `0x20` until `0x7F` (ASCII) or `0x09`, `0x0A` and `0x0D` (horizontal-tab, LF and CR) - which could be binary:
```python
python ns_log_scanner.py /var/log/ns.log # (sample path)
```
# Detection of CVE-2025-5777 using IPS/IDS
## Snort example rule for detection (psuedo-code)
```snort
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (
msg:"doAuthentication bare-login exploit";
flow:established,to_server;
http_method; content:"POST"; nocase;
http_uri; pcre:"/\/p\/u\/doAuthentication\.do(?:[\/\?]|$)/Ui";
http_header; pcre:"/Content-Length\s*:\s*[1-9]\d{0,2}/Hi";
# ‼ Bare “login” – next char must NOT be '='
http_client_body; pcre:"/\blogin(?!\s*=)/i";
classtype:web-application-activity;
sid:1001003; rev:1; metadata:service http;
)
```
## Fortigate IPS detection rule (pseudo-code)
```snort
config ips custom-signature
edit "DoAuthentication_BareLogin"
set severity medium
set default-application signature
set service "HTTP"
set direction clienttoServer
set pattern "GETPOST \/p\/u\/doAuthentication\.do[\/\?]?.*Content-Length:\s*[1-9][0-9]{0,2}.*\blogin(?!\s*=)"
next
end
```
#### Other resources (updates, detections)
- https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
- https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/
## Credits
- Researchers at [WatchTowr](https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/)
## Contact
Author : Mischa Rick van Geelen (@rickgeex)
Company : Anovum B.V.
Contact : m.vangeelen@anovum.nl
[4.0K] /data/pocs/8291ad54bb8240c96d5b599ec483a6986849b5ba
├── [3.1K] CVE-2025-5777.py
├── [2.9K] ns_log_scanner.py
└── [3.4K] README.md
0 directories, 3 files