# CitrixBleed 2 (CVE-2025-5777): Critical Out-of-Bounds Read in NetScaler ADC and Gateway

Security researchers have uncovered a high-severity vulnerability in Citrix NetScaler ADC and Citrix NetScaler Gateway—CVE-2025-5777, nicknamed “CitrixBleed 2.” This flaw allows an unauthenticated attacker to craft a specially malformed HTTP POST request that triggers an out-of-bounds memory read, potentially exposing session tokens, authentication cookies, and other sensitive fragments of server memory.

## Vulnerability Overview

CitrixBleed 2 arises from insufficient input validation when processing the `login` parameter in POST requests:

* The NetScaler appliances expect a value after `login`, but do not verify its presence or length.
    
* By omitting or truncating this value, an attacker forces the parser to read past allocated buffers.
    
* The result is arbitrary disclosure of memory contents, which can include active session identifiers and MFA tokens.
    

This weakness requires no prior authentication and can be exploited across the network with minimal complexity.

## Technical Analysis

1. **Trigger** Send an HTTP POST to `/vpn/../` or the ADC login endpoint, leaving the `login=` argument empty or padded with malformed bytes.
    
2. **Root Cause** A combination of an out-of-bounds read (CWE-125) and use of uninitialized memory (CWE-457) during parameter parsing.
    
3. **CVSS Metrics**
    
4. **Affected Versions** Citrix advisories list specific builds of ADC and Gateway, including but not limited to:
    
    * 14.1 prior to 14.1-43.56
        
    * 13.1 prior to 13.1-58.32
        
    * 12.1-FIPS prior to 12.1-55.32
        
    
    Always consult Citrix CTX693420 for the definitive list.
    
    ![2025-07-08_23-17](https://private-user-images.githubusercontent.com/12781459/463816712-8a64f2c7-d156-48b3-ba29-97f0b78bc646.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NTY4ODYxODQsIm5iZiI6MTc1Njg4NTg4NCwicGF0aCI6Ii8xMjc4MTQ1OS80NjM4MTY3MTItOGE2NGYyYzctZDE1Ni00OGIzLWJhMjktOTdmMGI3OGJjNjQ2LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNTA5MDMlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjUwOTAzVDA3NTEyNFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWUxYTA2MDE1MzQyOWNiYTA4MzI1NjBhN2M4MDdkNzNmODY2MmRlZTQwZjllNDBmODc0ZjlhZGM4NmMxYTM4ODMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.9dnkT2ZiG9SdbyTEfiCC_jWcogqw3DB6FgW688xiZPY align="center")
    

## Exploitation Status and Data Validation

Early reports claimed “over 11.5 million attack attempts” and “1,200 compromised systems,” including a high-profile incident at the Pennsylvania Attorney General’s office. However, independent telemetry from major vendors shows:

* Tens of thousands of blocked attempts by global IPS sensors
    
* Approximately 3,000 still-vulnerable NetScaler instances observed online (as of August 2025)
    
* No public confirmation of the Pennsylvania AG breach
    

Recommendation: Rely on vendor advisories (Citrix, CISA) or your internal telemetry rather than unverified media figures.

## Potential Impact

If successfully exploited, CVE-2025-5777 can lead to:

* Hijacking of existing user sessions
    
* Bypassing of MFA protections
    
* Unauthorized access to sensitive applications behind the NetScaler
    
* Lateral movement within corporate networks
    

Organizations in government, finance, healthcare, and any industry using Citrix appliances for remote access are at elevated risk.

## Mitigation and Best Practices

1. **Immediate Patching** Apply the security updates published in Citrix CTX693420 without delay.
    
2. **Session Revocation** After patching, terminate all active ICA/PCoIP sessions to invalidate any leaked tokens.
    
3. **Network Controls**
    
    * Restrict NetScaler management interfaces to trusted IP ranges or VPN-only access.
        
    * Employ network segmentation to isolate critical resources.
        
4. **Runtime Hardening**
    
    * Deploy a Web Application Firewall (WAF) with custom rules detecting empty or malformed `login` fields.
        
    * Enforce rate limiting on authentication endpoints.
        
5. **Monitoring and Detection**
    
    * Audit logs for anomalous POST requests missing `login` values.
        
    * Integrate IDS/IPS signatures that flag out-of-bounds read patterns.
        
6. **Defense-in-Depth**
    
    * Validate all user-supplied data at multiple layers.
        
    * Regularly perform memory-safety audits on custom plugins or integrations.
        

## References

* Citrix Security Bulletin CTX693420: [https://support.citrix.com/article/CTX693420](https://support.citrix.com/article/CTX693420)
    
* Positive Technologies Advisory PT-2025-25651: [https://dbugs.ptsecurity.com/vulnerability/PT-2025-25651](https://dbugs.ptsecurity.com/vulnerability/PT-2025-25651)
    
* Proof-of-Concept Repositories: – [https://github.com/win3zz/CVE-2025-5777](https://github.com/win3zz/CVE-2025-5777) – [https://github.com/soltanali0/CVE-2025-5777-Exploit](https://github.com/soltanali0/CVE-2025-5777-Exploit)
    

By treating **CVE-2025-5777** as a top priority and implementing layered defenses, you can safeguard your Citrix NetScaler deployments against session hijacking and memory-leak attacks.  
  
*Stay vigilant and subscribe to our blog for ongoing security insights.*
