Urgent: Patch Citrix Bleed 2 NetScaler flaw as exploits go public
▼ Summary
– Researchers released PoC exploits for CitrixBleed2 (CVE-2025-5777), a critical flaw in Citrix NetScaler devices allowing attackers to steal session tokens via malformed POST requests.
– The vulnerability resembles the 2023 CitrixBleed bug and leaks memory contents by exploiting a format string issue in the `snprintf` function, revealing ~127 bytes per request.
– While Citrix claims no active exploitation, security firms like ReliaQuest and researcher Kevin Beaumont report evidence of attacks since mid-June, including session hijacking.
– Attack indicators include repeated POST requests to `*doAuthentication*`, unusual logoff entries, and memory dumps in NetScaler logs.
– Citrix has released patches, urging immediate deployment, and recommends reviewing sessions for suspicious activity before terminating them.
Security teams are racing to patch a critical Citrix NetScaler vulnerability known as CVE-2025-5777 (CitrixBleed2) after researchers confirmed working exploits that steal session tokens by dumping memory contents. The flaw impacts Citrix NetScaler ADC and Gateway devices, allowing attackers to extract sensitive data through manipulated login requests.
The vulnerability shares similarities with last year’s CitrixBleed (CVE-2023-4966), which ransomware groups weaponized to hijack sessions and infiltrate networks. Researchers from watchTowr and Horizon3 found that sending malformed POST requests, specifically omitting the equals sign in the login parameter, forces NetScaler appliances to leak memory contents in responses.
Technical analysis reveals the flaw stems from improper use of the snprintf function with the %.*s format string, which reads data until encountering a null byte. Each malformed request exposes roughly 127 bytes of memory, enabling attackers to repeatedly harvest data until obtaining valuable credentials or session tokens. Horizon3 successfully demonstrated token theft in a proof-of-concept video, contradicting Citrix’s claim that exploitation remains unverified.
Despite Citrix’s insistence that no active attacks exploit CVE-2025-5777, cybersecurity firm ReliaQuest and researcher Kevin Beaumont report evidence of session hijacking since mid-June. Beaumont identified key indicators of compromise, including repeated POST requests to doAuthentication, each leaking 126 bytes of RAM”Citrix support wouldn’t disclose IOCs and falsely claimed no exploitation occurred, just like with CitrixBleed,” Beaumont noted. “This lack of transparency endangers customers.”Patches are now available, and organizations must prioritize updates immediately. Administrators should also audit active ICA/PCoIP sessions for suspicious activity before terminating them. With exploit code public, delaying remediation risks severe breaches akin to last year’s widespread attacks.
(Source: BLEEPINGCOMPUITER)
