Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO
Huseyin Can YUCEEL | 3 MIN READ

CREATED ON July 07, 2025

​​CVE-2025-5777: Citrix Bleed 2 Memory Leak Vulnerability Explained

Citrix has disclosed a critical vulnerability affecting NetScaler devices configured as Gateway or AAA virtual servers [1]. CVE-2025-5777 is a pre-authentication memory leak vulnerability with a CVSS score of 9.3 (Critical) that allows remote attackers to extract uninitialized memory contents from affected devices. The vulnerability is also referred to as "CitrixBleed 2" due to its similarity to the infamous CVE-2023-4966 vulnerability. Given its ease of exploitation and potential for significant impact, organizations are advised to patch their vulnerable assets without delay.

In this blog, we explained how the Citrix NetScaler CVE-2025-5777 vulnerability works and how organizations can defend against Citrix Bleed 2 attacks.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Citrix Bleed 2: CVE-2025-5777 Vulnerability Explained

Citrix NetScaler is a networking appliance that delivers application access across distributed enterprise environments. Originally developed to optimize traffic and improve the performance of web applications, NetScaler has evolved into a comprehensive solution for load balancing, SSL offloading, web application firewalling (WAF), secure remote access, and gateway functionalities such as VPN and ICA proxy for Citrix Virtual Apps and Desktops.

On June 17th, 2025, Citrix disclosed a critical pre-authentication memory leak vulnerability affecting Citrix NetScaler devices configured as a Gateway or AAA virtual server. CVE-2025-5777 is caused by insufficient input validation in how NetScaler processes HTTP POST requests to its authentication endpoint. Specifically, when an attacker submits a malformed login request that includes the login parameter without a value or equals sign, the backend C code responsible for parsing the request fails to safely initialize the corresponding variable. As a result, the system responds with residual stack memory data within an XML tag called <InitialValue>, leaking whatever uninitialized content was present in memory at that time.

CVE-2025-5777 has a CVSS score of 9.3 (Critical) and is named CitrixBleed 2 due to its striking similarity to the earlier CitrixBleed vulnerability

How Citrix NetScaler CVE-2025-5777 Exploit Works?

CVE-2025-5777 stems from how Citrix NetScaler handles login requests during the authentication process. Specifically, when a malformed HTTP POST request is sent to the authentication endpoint, the system fails to properly validate and initialize input from the login parameter [2]. If the request includes the login field without an equals sign or value, the backend interprets it as a valid field but leaves the associated memory uninitialized. The backend, written in C, then proceeds to handle this uninitialized variable as if it contained a legitimate username. Due to the absence of proper memory initialization, the system inadvertently includes leftover data from the stack in its response. This data leak occurs within the <InitialValue> tag of the XML response returned by the server. As a result, attackers can retrieve fragments of memory that may contain portions of previous HTTP requests, usernames, or other sensitive information.

The example HTTP POST request can be used to test memory leaks on vulnerable Citrix NetScaler devices. 

POST /p/u/doAuthentication.do HTTP/1.0 

Host: <Vulnerable_Citrix_NetScaler_Device>

User-Agent: PicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicus

Content-Length: 5 

Connection: keep-alive  


login

Citrix Bleed 2 CVE-2025-5777 Vulnerability Exploit

How Picus Helps Simulate Citrix Bleed 2 CVE-2025-5777 Attacks?

We also strongly suggest simulating the Citrix Bleed 2 CVE-2025-5777 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Citrix Bleed 2 CVE-2025-5777 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

67234

Citrix Web Attack Campaign

Web Application

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Security Validation Platform.

References

[1] "NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-5349 and CVE-2025-5777." Available: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420

[2] S. Kheirkhah, "How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777)," watchTowr Labs, Jul. 04, 2025. Available: https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/

Table of Contents

Inside the Shadows: Understanding Active Iranian APT Groups
Emerging Threat Inside the Shadows: Understanding Active Iranian APT Groups
Learn More
Ransomware Actors Exploit CVE-2024-57727 in Unpatched SimpleHelp RMM
Emerging Threat Ransomware Actors Exploit CVE-2024-57727 in Unpatched SimpleHelp RMM
Learn More
Russian Unit 26165 Targets Western Logistics and Technology Companies
Emerging Threat Russian Unit 26165 Targets Western Logistics and Technology Companies
Learn More
Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
Emerging Threat Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
Learn More
CVE-2025-31324: SAP NetWeaver Remote Code Execution Vulnerability Explained
Emerging Threat CVE-2025-31324: SAP NetWeaver Remote Code Execution Vulnerability Explained
Learn More
cve-2025-32433-erlang
Emerging Threat CVE-2025-32433: Erlang/OTP SSH Remote Code Execution Vulnerability Explained
Learn More
CVE-2025-22457: Ivanti Remote Code Execution Vulnerability Explained
Emerging Threat CVE-2025-22457: Ivanti Remote Code Execution Vulnerability Explained
Learn More
IngressNightmare: Ingress NGINX Remote Code Execution Vulnerability Explained
Emerging Threat IngressNightmare: Ingress NGINX Remote Code Execution Vulnerability Explained
Learn More
CVE-2025-29927: Next.js Middleware Bypass Vulnerability Explained
Emerging Threat CVE-2025-29927: Next.js Middleware Bypass Vulnerability Explained
Learn More