Similarities to the original Citrix Bleed: CVE-2025-5777 has been dubbed Citrix Bleed 2 due to its similarities to a zero-day information disclosure vulnerability fixed in October 2023 (CVE-2023-4966) that received the Citrix Bleed moniker because it enabled attackers to leak session tokens from memory, allowing for session takeover with multifactor authentication bypass.Similarly, CVE-2025-5777 can lead to a memory overread condition through crafted HTTP requests sent to a specific web application endpoint called doAuthentication.do. This leaks internal memory, 127 bytes at a time, which could contain authentication tokens and other sensitive information.During their testing, the watchTowr researchers didn’t manage to find any authentication cookies, session IDs, or passwords in the leaked content, but noted that on a production appliance with more user connections, things will likely be different. Meanwhile the Horizon3 researchers did obtain legitimate user session tokens by running the exploit for longer on their test appliance.”This isn’t just limited to endpoints accessible to normal users,” the Horizon3 researchers wrote. “The configuration utilities administrators use to manage NetScaler Gateway endpoints ALSO utilize this memory space, meaning those tokens are vulnerable to theft as well.”The flaw affects NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) when configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication authorization and auditing (AAA) server. There are no manual work-arounds or mitigations aside from applying the patches. Organizations who haven’t updated yet should deploy the latest available builds for their release branches, which will include fixes for the confirmed actively exploited CVE-2025-6543 vulnerability as well.
Detecting compromise: In terms of IoCs, the Horizon3 researchers advise searching ns.log for log entries with non-printable characters, which can be a good indicator that something is not right.”The Citrix advisory recommends terminating existing ICA and PCoIP sessions, which leads us to believe that endpoints related to those features are being targeted,” the Horizon3 researchers concluded. “Entries for those logs may similarly contain contents of leaked memory, which may or may not include session tokens.”Administrators are also advised to audit all active sessions on their appliances, which can be done from the interface at “NetScaler Gateway -> Active User Sessions -> Select applicable context -> Continue” or from the command line with the show sessions or show <service> session commands.If an appliance is compromised, attackers are likely to add backdoor accounts, dump and modify the appliance configuration with persistence mechanisms, and deploy remote access tools, all actions taken during the original Citrix Bleed exploitation as well.Such modifications should be captured by logs, but the researchers warn that if admin sessions or credentials are compromised, the attackers would have access to modify logging configurations.”If configuration backups are in place, showing the current running config via show ns runningConfig -withDefaults and comparing it to a known good back up with some sort of diffing utility (such as via diff -u backup.config current.config) is a good starting point,” the Horizon3 researchers said.Meanwhile, watchTowr reseachers released proof-of-concept HTTP requests and responses that can be used to build scanning scripts to determine the exploitability of NetScaler appliances against this flaw.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4019802/exploit-details-released-for-citrix-bleed-2-flaw-affecting-netscaler.html
