search
Page cover

book-blankCitrixBleed 2 - CVE-2025-5777 (NetScaler)

hashtag
Incident Overview

Citrixarrow-up-right CitrixBleed 2 (CVE-2025-5777) is a critical remote information disclosure flaw affecting NetScaler ADC and Gateway appliances.

It builds on the same trust-breaking concept as the original CitrixBleed, allowing unauthenticated attackers to retrieve sensitive session data from memory, bypassing authentication and potentially hijacking admin sessions.

  • CVSS v3.1: 9.8 (Critical)

  • Attack Vector: Remote, unauthenticated

  • Scope: All unpatched instances exposed to the internet.

  • Impact: Credential/session theft, network access, possible domain compromise.

LogoNVD - CVE-2025-5777nvd.nist.govchevron-right

hashtag
Timeline of Events

  • July 29, 2025: Vulnerability privately reported to Citrix.

  • Aug 04, 2025: Internal validation confirms active exploitation in honeypots.

  • Aug 06, 2025: Advisory released + patched builds.

  • Aug 08, 2025: Proof-of-Concept (PoC) discussed in restricted infosec circles.

  • Aug 09, 2025: Ongoing exploitation targeting unpatched NetScaler appliances.

See content credentials

hashtag
Attack Chain

  1. Recon: Attackers scans for public NetScaler interfaces (Shodan, Censys).

  2. Exploit: Crafted HTTP request triggers session memory leak.

  3. Harvest: Session cookies / authentication tokens extracted.

  4. Hijack: Replay stolen cookies for authenticated access.

  5. Pivot: Move laterally inside the target's internal network.

hashtag
Exploit PoC Insights

The PoC revolves around abusing uninitialized memory handling in NetScaler's session management routines.

Instead of returning a clean response, the server leaks raw memory containing active session data, back to the requester.

No brute-force, no creds, just direct memory exposure via crafted requests.

LogoGitHub - nocerainfosec/cve-2025-5777: Memory disclosure vulnerability in Citrix NetScaler ADC and Gateway when configured as a Gateway (VPN virtual server, ICA proxy, CVPN, RDP Proxy).GitHubchevron-right
LogoGitHub - bughuntar/CVE-2025-5777: CVE-2025-5777 Citrix NetScaler Memory Leak Exploit (CitrixBleed 2)GitHubchevron-right

hashtag
Exploitation Evidence

Honeypot logs shows real attempts within 48 hours of public advisory:

hashtag
Threat Actor Tradecraft

Attribution links active exploitation to APT42 (Iran-aligned) and UNC2630 operators:

  • Known For: Targeting government, critical infrastructure, and defense sectors.

  • TTPs: Credential theft, VPN exploitation, MFA bypass.

  • Recent Ops: Exploited Invanti Connect Secure CVE-2024-21887 in January; leveraged MOVEit zero-day mid-2024.

Their motive is clear; long-term persistence and access to sensitive internal systems through edge-device compromise.

hashtag
MITRE ATT&KC and D3FEND

  • T1595.002: Active Scanning: Vulnerability Scanning

  • T1040: Network Sniffing (memory inspection for creds)

  • T1078.004: Valid Accounts: Cloud Accounts

  • T1556.004: Modify Authentication Process

  • D3-DETECT-NETWORK: Monitor abnormal HTTP requests to VPN endpoints

  • D3-DENY-AUTH: Invalidate sessions & enforce re-authentication

hashtag
CVE / References

hashtag
Detection & Mitigation

  • Patch Immediately: Apply Critix's fixed builds from the August 6 release.

  • Invalidate All Active Sessions: Force logout to nullify stolen cookies.

  • Networking Monitoring: Alert on suspicious HTTP requests containing unusual headers or session tokens.

  • Segmentation: Limit management interfaces to trusted networks/VPNs.

  • Hunting Queries:

Edge appliances like NetScaler are not just doors into your network, they're often the only lock attackers need to pick. Don't leave yours bleeding.

PreviousBlue Tuesday: Detecting & Mitigating LOTL (Living off the Land) AttacksNextAmazon AWS Q Supply Chain Incident

Last updated

Was this helpful?