CitrixBleed 2: NetScaler Memory Leak (CVE-2025-5777)
Citrix has confirmed a critical new vulnerability in NetScaler ADC and Gateway appliances, tracked as CVE-2025-5777. Dubbed CitrixBleed 2, this flaw builds upon lessons from previous memory exposure vulnerabilities – and once again places enterprise infrastructure at serious risk.
Summary of CVE-2025-5777
- CVE ID: CVE-2025-5777
- Severity: Critical (CVSS 9.8)
- Component Affected: NetScaler ADC and Gateway
- Exploitation Type: Remote, unauthenticated memory leak
- Current Status: Exploited in the Wild
- Patch Available: Yes (Released August 5, 2025)
Technical Details
CVE-2025-5777 allows unauthenticated remote attackers to leak memory contents from vulnerable NetScaler appliances via crafted HTTP requests. This issue is due to improper bounds checking in request parsing, leading to unintended disclosure of session tokens, credentials, or configuration data from memory buffers.
Researchers have confirmed successful exploit scenarios in lab conditions – retrieving sensitive data with no prior authentication. Multiple proof-of-concept (PoC) tools are already circulating on exploit forums and GitHub.
Affected Versions
| Product | Affected Versions | Fixed in |
|---|---|---|
| NetScaler ADC | 13.1-49.15 and earlier | 13.1-49.16 |
| NetScaler Gateway | 13.0-91.7 and earlier | 13.0-91.8 |
Older LTS versions remain under analysis.
Mitigation and Remediation
Apply the Patch
Citrix urges all customers to update to the fixed firmware immediately. Firmware downloads are available in the Citrix support portal.
Additional Steps
- Revoke and reissue potentially compromised session tokens and credentials.
- Monitor for unusual HTTP traffic patterns and memory read anomalies.
- Enable and monitor logging of authentication attempts, session reuse, and config fetches.
Threat Activity
Cybersecurity researchers and SOC analysts have already observed targeted scanning of public-facing NetScaler instances beginning August 3. APT groups and ransomware affiliates may prioritize vulnerable instances for initial access.
Security vendor GreyBox Labs has classified this CVE as "high exploitation potential" and warns of opportunistic mass scanning similar to past CitrixBleed events.
Detection Guidance
Indicators of Compromise (IOCs):
- HTTP requests containing malformed
HostorCookieheaders - Traffic from unexpected IPs with large response body sizes
- Memory read anomalies in diagnostic logs
Recommended Tools:
- Wireshark with custom dissectors
- Suricata / Zeek custom signatures
- Memory integrity checks
Final Thoughts
CVE‑2025‑5777 is a wake-up call: even mature enterprise platforms like NetScaler can harbor low-level flaws with wide-reaching consequences. Organizations should:
- Patch immediately
- Harden perimeter devices
- Regularly audit appliance logs
- Validate change management processes
