A new critical vulnerability in Citrix NetScaler, designated CVE-2025-5777 and now known in the security community as CitrixBleed2, appears to be easily exploitable and is already the target of proof-of-concept exploits.
Researchers from watchTowr and Horizon3.ai, among others, warn that malicious actors can use this vulnerability to steal sensitive session data via seemingly simple login requests.
CitrixBleed2 affects both NetScaler ADC and Gateway devices, allowing an attacker to read memory content directly by sending malicious POST requests during login. This happens without any authentication. The vulnerability is similar to CVE-2023-4966, which was already used on a large scale in 2023 by ransomware groups and state-affiliated attackers to take over sessions and penetrate networks.
Insecure input handling
According to a detailed technical analysis by watchTowr, the problem arises from the use of the snprintf function in conjunction with an incorrect format string. When a login request is sent without a correct login parameter, i.e., without the equal sign or a value, NetScaler will respond with an error. However, this error response contains memory data originating from the unsafe processing of the input. Because the format %*.* used causes NetScaler to display data up to the first null character, an attacker can read approximately 127 bytes of RAM content with each request.
WatchTowr points out that the error can be reproduced with a simple curl call. With repeated requests, each time without the =, a piece of uninitialized memory space is leaked with each attempt. These are pieces that may contain session tokens or authentication data. In practice, this means that an attacker can collect the necessary sensitive information undetected through an automated attack loop.
Active exploitation likely
Although Citrix still states in a blog post that there is no evidence of active exploitation, this view is disputed. Cybersecurity company ReliaQuest reported a noticeable increase in the number of session hijacks among customers with NetScaler infrastructure at the end of June. Security researcher Kevin Beaumont confirms this observation. According to him, the vulnerability has been actively exploited since mid-June. He says that the pattern of log data from affected NetScaler devices is characteristic: short POST requests with unusually low content lengths and session log entries in which incorrect RAM memory ends up in user fields. Beaumont states that without the in-depth publications by watchTowr and Horizon3, this activity would have gone unnoticed.
Horizon3’s video analysis also shows that this is not just theoretical abuse. The researchers demonstrate how this vulnerability can be exploited to steal actual session tokens. These tokens can then be used to take over existing sessions, with all the consequences that entail. It is also striking that the vulnerability is not limited to public NetScaler endpoints. Management interfaces and configuration tools also appear to be vulnerable, which increases the impact on internal infrastructures.
Citrix has now released security updates. Organizations are strongly advised to patch their NetScaler ADC and Gateway systems as soon as possible. Given the ease of exploitation and the availability of PoC exploits, there is a high likelihood that more attacks will follow.