Ethical Hacking News
Critical NetScaler Flaw CitrixBleed 2 Exposed: Public Exploits Released for Immediate Patching
A new critical bug has been discovered in multiple versions of the popular ADC and Gateway devices made by Citrix. The newly disclosed CitrixBleed 2 vulnerability allows attackers to hijack user sessions with just a few lines of code, putting businesses at significant risk.
Researchers have confirmed that this flaw is actively being exploited and can be successfully used to dump memory from NetScaler appliances. To protect your organization's security, it is recommended that you apply the patch released by Citrix as soon as possible. Read more about this new vulnerability and how to secure your NetScaler environment.
CitrixBleed 2 is a critical vulnerability affecting multiple versions of NetScaler that allows attackers to steal user session tokens by sending malformed POST requests during login attempts. The vulnerability was originally discovered in 2023 and has since been actively exploited, with concrete indicators of compromise from Netscaler logs confirming its exploitation since mid-June. Attacks using CitrixBleed 2 can hijack user sessions and breach networks by exploiting a format string vulnerability in NetScaler ADC and Gateway devices. When a user attempts to log into their account with an invalid POST request, it triggers the appliance to display memory contents, allowing attackers to dump memory and hijack sessions. Citrix recommends terminating active ICA and PCoIP sessions for affected customers, while administrators are advised to review existing sessions for suspicious activity before doing so. All organizations using Citrix ADC and Gateway devices are strongly urged to apply the patches released by Citrix immediately to address CVE-2025-5777 and prevent potential exploitation of this critical vulnerability.
Citrix has been issued a stern warning from security researchers and experts alike following the release of proof-of-concept (PoC) exploits for its popular ADC and Gateway devices, specifically highlighting a critical vulnerability known as CitrixBleed 2. This newly discovered bug, which affects multiple versions of NetScaler, enables attackers to steal user session tokens by simply sending malformed POST requests during login attempts.
Citrix continues to insist that the flaw is not currently being exploited in the wild, citing an internal blog post and claiming that there is no evidence to support claims of successful attacks. However, security researcher Kevin Beaumont has disputed this claim, providing concrete indicators of compromise from Netscaler logs that confirm the vulnerability's active exploitation since mid-June.
The CitrixBleed 2 vulnerability was originally discovered in 2023, earning its name due to its similar characteristics to the original CitrixBleed (CVE-2023-4966) bug. That flaw allowed attackers to hijack user sessions and breach networks through a combination of exploits involving a format string vulnerability. This new CitrixBleed 2 flaw shares similarities with its predecessor, exploiting a function in NetScaler ADC and Gateway devices that results from using the snprintf function along with a format string containing the %.*s format.
In technical terms, when a user attempts to log into their account using the malformed POST request without an equal sign or value for the "login" parameter, it triggers the NetScaler appliance to display memory contents up to the first null character in the section of the response. The effect is the retrieval of uninitialized stack data that can be used by attackers to dump memory and hijack sessions.
However, while WatchTowr's initial attempts were unsuccessful, Horizon3 demonstrates in their video that they could exploit this flaw to steal user session tokens. Each request leaks approximately 127 bytes of data from memory, allowing repeated HTTP requests to extract additional memory contents until sensitive data is found.
While Citrix continues to recommend terminating active ICA and PCoIP sessions for affected customers, administrators are advised to review existing sessions for suspicious activity before doing so. All organizations are strongly urged to apply the patches released by Citrix immediately to address CVE-2025-5777 and prevent potential exploitation of this critical vulnerability.
Given the severity of this discovery, it is imperative that users take proactive steps to secure their NetScaler environments. Until a patch is applied, attackers will be able to easily access user session tokens, potentially leading to unauthorized access to sensitive information and escalating security risks.
In light of these findings, organizations utilizing Citrix ADC and Gateway devices are strongly advised to prioritize immediate patching and take necessary precautions against this newly exposed vulnerability.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-NetScaler-Flaw-CitrixBleed-2-Exposed-Public-Exploits-Released-for-Immediate-Patching-ehn.shtml
https://www.bleepingcomputer.com/news/security/public-exploits-released-for-citrixbleed-2-netscaler-flaw-patch-now/
https://nvd.nist.gov/vuln/detail/CVE-2025-5777
https://www.cvedetails.com/cve/CVE-2025-5777/
Published: Mon Jul 7 18:23:30 2025 by llama3.2 3B Q4_K_M
