Executive Summary

A critical zero-day vulnerability, CitrixBleed 2 (CVE-2025-5777), is wreaking havoc across global enterprise networks by targeting Citrix NetScaler ADC and Citrix NetScaler Gateway appliances. This pre-authentication memory disclosure flaw enables remote attackers to extract sensitive memory contents from vulnerable devices, potentially leading to session hijacking, credential theft, and lateral movement within affected environments. The attack is highly repeatable, trivial to exploit, and has already resulted in over 11.5 million attack attempts worldwide, with a disproportionate focus on the financial sector and U.S.-based organizations. The vulnerability is reminiscent of the notorious CitrixBleed (CVE-2023-4966), but with new technical nuances and a broader impact surface. Immediate action is required to mitigate risk, as exploitation is ongoing and public proof-of-concept code is widely available.

Technical Information

CitrixBleed 2 (CVE-2025-5777) is a pre-authentication remote memory disclosure vulnerability affecting multiple versions of Citrix NetScaler ADC and Citrix NetScaler Gateway. The flaw is rooted in improper input validation and memory handling within the authentication logic, specifically when the login parameter is present in a POST request but is not assigned a value. This results in the use of uninitialized memory (CWE-457), causing the backend to leak stack memory contents in the XML response.

The attack vector is network-based and does not require any credentials or prior access. An attacker simply crafts an HTTP POST request to the /p/u/doAuthentication.do endpoint, including the login parameter without a value. The vulnerable server responds with an XML payload containing an <InitialValue> tag, which is populated with uninitialized stack memory. Each request can leak different memory chunks, increasing the likelihood of exposing sensitive data such as session tokens, credentials, or cryptographic material.

A typical exploit request is as follows:

``` POST /p/u/doAuthentication.do HTTP/1.0 Host: target User-Agent: watchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowr Content-Length: 5 Connection: keep-alive

login ```

The corresponding vulnerable response may look like:

<InitialValue>É|¼Cž÷PkÓßYsa5ÊÞÅЭ^šÐ”|@º‹JŸZõ¶@”¹^ì¶Uã™7K›èg ­Oë@’¼~hL1{Xövn^›ÐÛ·˜¹ƒ˜8dp}°$€üüŒÇ)7 (÷挾èÂpAgc¼TowrwatchTowrw</InitialValue>

The criticality of this vulnerability is underscored by its CVSS score of 9.3. The attack is not only trivial to execute but also difficult to detect, as many affected appliances lack robust network monitoring and are often not updated regularly. The memory disclosure is non-deterministic, meaning repeated exploitation can yield a wide array of sensitive information, making it a potent tool for both opportunistic attackers and advanced persistent threat actors.

Detection hinges on monitoring for anomalous POST requests to the authentication endpoint with malformed login parameters and inspecting responses for unexpected or non-empty <InitialValue> tags. Security teams should also be vigilant for signs of session hijacking or unauthorized access that may result from successful exploitation.

Exploitation in the Wild

Exploitation of CitrixBleed 2 is widespread and escalating. Security telemetry from Imperva and GreyNoise indicates over 11.5 million attack attempts globally within weeks of public disclosure. The financial sector is bearing the brunt, accounting for approximately 40% of observed attacks, with U.S.-based organizations representing the majority of targeted entities. Attackers are leveraging automated scanning and exploitation tools to identify and compromise exposed Citrix NetScaler instances at scale.

GreyNoise has identified at least 22 unique malicious IP addresses actively exploiting the vulnerability within days of its disclosure. The attack timeline reveals that malicious activity began as early as June 23, 2025, with public exploit details surfacing in early July. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by adding CVE-2025-5777 to its Known Exploited Vulnerabilities Catalog on July 10, 2025, mandating rapid patching for federal agencies.

Industry experts have highlighted the ease and repeatability of the attack. Dustin Childs of Trend Micro ZDI noted, “The attack is very repeatable and those systems rarely have network monitoring. They also aren’t regularly updated, so patching them may be an issue.” Imperva researchers observed extensive scanning for exposed instances, with attackers seeking to harvest sensitive data for further exploitation.

The combination of a trivial exploit, high-value targets, and slow patch adoption has created a perfect storm for widespread compromise. Organizations with unpatched appliances are at immediate risk of data leakage, credential theft, and subsequent breaches.

APT Groups using this vulnerability

While no single advanced persistent threat (APT) group has been definitively attributed to the exploitation of CitrixBleed 2 as of July 2025, both opportunistic cybercriminals and sophisticated APT actors are actively leveraging the bug. The attack aligns with the MITRE ATT&CK framework’s Initial Access (TA0001) and Exploit Public-Facing Application (T1190) techniques, making it attractive for a wide spectrum of threat actors.

Security researchers have observed exploitation patterns consistent with both mass scanning by cybercriminal botnets and more targeted campaigns that may be indicative of APT involvement. The financial sector’s prominence among targeted victims suggests that financially motivated groups, as well as state-sponsored actors seeking access to critical infrastructure, are exploiting the vulnerability. The lack of attribution is likely due to the recency of the vulnerability and the high volume of opportunistic attacks obscuring more targeted campaigns.

Organizations should assume that both commodity malware operators and advanced threat actors are exploiting CitrixBleed 2 and should respond with the highest urgency.

Affected Product Versions

The following product versions are confirmed to be affected by CitrixBleed 2 (CVE-2025-5777), according to the latest advisories from Citrix and technical analysis by Horizon3.ai:

NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-43.56, NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-58.32, NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.235-FIPS and 13.1-37.235-NDcPP, and NetScaler ADC 12.1-FIPS prior to 12.1-55.328-FIPS are all vulnerable. Organizations running any of these versions should consider their appliances at high risk and prioritize immediate remediation.

For the most current and detailed list of affected versions, consult the official Citrix Security Bulletin and the NVD entry for CVE-2025-5777.

Workaround and Mitigation

The primary mitigation for CitrixBleed 2 is to apply the latest security patches released by Citrix for all affected NetScaler ADC and NetScaler Gateway appliances. Patching should be performed as a matter of urgency, as exploitation is ongoing and public exploit code is widely available.

In addition to patching, organizations should implement the following compensating controls where immediate patching is not feasible:

Restrict network access to vulnerable appliances by implementing strict firewall rules and network segmentation, ensuring that only trusted management networks can reach the authentication endpoints. Monitor for indicators of compromise by inspecting logs for anomalous POST requests to /p/u/doAuthentication.do with malformed login parameters and by searching for unexpected or non-empty <InitialValue> tags in XML responses. Update intrusion detection and prevention systems (IDS/IPS) and security information and event management (SIEM) solutions with detection rules tailored to the exploit pattern. Conduct external attack surface assessments to identify and remediate any exposed Citrix NetScaler instances.

Organizations should also review authentication logs for signs of session hijacking or unauthorized access, as attackers may have already leveraged the vulnerability to gain persistent access.

References

For further technical analysis, exploit details, and mitigation guidance, consult the following authoritative sources:

WatchTowr Labs: Technical Analysis & Exploit Details, CyberScoop: Exploitation in the Wild, Akamai: Mitigation and Root Cause, CISA KEV Catalog: Known Exploited Vulnerabilities, NVD Entry for CVE-2025-5777: NVD, Horizon3.ai: CitrixBleed 2 Writeup, GreyNoise: Malicious IPs.

Rescana is here for you

Rescana is committed to empowering organizations with actionable threat intelligence and robust third-party risk management. Our TPRM platform enables you to continuously monitor your digital supply chain, identify emerging vulnerabilities, and respond proactively to evolving cyber threats. We understand the urgency and complexity of today’s threat landscape and are dedicated to supporting your security operations with timely, expert guidance.

If you have any questions about this advisory or require further assistance, please contact us at ops@rescana.com.