Ethical Hacking News
A critical vulnerability in Citrix NetScaler software has left millions of users vulnerable to session hijacking and data breaches. Researchers have released proof-of-concept (PoC) exploits for the bug, which can be exploited by sending a malformed POST request during login attempts.
Citrix Bleed 2 is a devastating vulnerability in the Citrix NetScaler software that leaves millions of users exposed to session hijacking and data breaches. The vulnerability, CVE-2025-5777, can be exploited by sending an incorrect login request with a malformed POST request. Attackers can steal user session tokens and access sensitive data if left unpatched. Citrix has released patches to address the vulnerability, and all organizations are urged to apply them immediately.
Citrix Bleed 2, a devastating vulnerability in the popular Citrix NetScaler software, has left millions of users exposed to session hijacking and data breaches. The revelation comes after researchers released proof-of-concept (PoC) exploits for the critical flaw, CVE-2025-5777, which was dubbed CitrixBleed2 by experts.
Citrix Bleed 2 is a type of vulnerability that affects Citrix NetScaler ADC and Gateway devices, allowing attackers to steal user session tokens with relative ease. The vulnerability is caused by a flawed use of the snprintf function along with a format string containing the %.*s format string. When an attacker sends a malformed POST request during login attempts, the NetScaler appliance displays the memory contents up to the first null character in the section of the response.
In technical analyses first released by watchTowr and then Horizon3, researchers confirmed that the vulnerability can be exploited by sending an incorrect login request, where the login= parameter is modified so it's sent without an equal sign or value. This causes the NetScaler appliance to display the memory contents up to the first null character in the section of the response.
The flaw has significant implications for organizations that rely on Citrix NetScaler software for their IT infrastructure. If left unpatched, attackers can exploit this vulnerability to steal user session tokens and access sensitive data. In fact, a June report by cybersecurity firm ReliaQuest indicates that there is evidence that CVE-2025-5777 may have been exploited in attacks, with the company seeing an increase in user session hijacks.
Security researcher Kevin Beaumont disputes Citrix's statement that the vulnerability has not been actively exploited, saying that attackers are leveraging the bug to dump memory and hijack sessions. He highlighted several indicators of compromise, including repeated POST requests to *doAuthentication*, requests to doAuthentication.do with "Content-Length: 5", and lines with *LOGOFF* and user = "*#*" (i.e. # symbol in the username) in Netscaler user logs.
Citrix has released patches to address CVE-2025-5777, and all organizations are strongly urged to apply them immediately now that public exploits are available. While Citrix recommends terminating all active ICA and PCoIP sessions, administrators should first review existing sessions for any suspicious activity before doing so.
The revelation of the Citrix Bleed 2 vulnerability serves as a stark reminder of the importance of keeping software up-to-date and vigilant in the face of emerging threats. As the threat landscape continues to evolve, it is essential that organizations prioritize their cybersecurity posture and take proactive measures to protect themselves against such vulnerabilities.
In conclusion, the Citrix Bleed 2 NetScaler flaw is a critical vulnerability that leaves millions of users exposed to session hijacking and data breaches. With public exploits now available, all organizations are urged to apply patches immediately and take steps to prevent exploitation of this vulnerability.
Related Information:
https://www.ethicalhackingnews.com/articles/Exposing-the-Dark-Secret-Citrix-Bleed-2-NetScaler-Flaw-Leaves-Millions-Vulnerable-to-Session-Hijacking-ehn.shtml
Published: Mon Jul 7 23:52:15 2025 by llama3.2 3B Q4_K_M
