Huseyin Can YUCEEL | 3 MIN READ

CREATED ON July 07, 2025

​​CVE-2025-5777: Citrix Bleed 2 Memory Leak Vulnerability Explained

Citrix has disclosed a critical vulnerability affecting NetScaler devices configured as Gateway or AAA virtual servers [1]. CVE-2025-5777 is a pre-authentication memory leak vulnerability with a CVSS score of 9.3 (Critical) that allows remote attackers to extract uninitialized memory contents from affected devices. The vulnerability is also referred to as "CitrixBleed 2" due to its similarity to the infamous CVE-2023-4966 vulnerability. Given its ease of exploitation and potential for significant impact, organizations are advised to patch their vulnerable assets without delay.

In this blog, we explained how the Citrix NetScaler CVE-2025-5777 vulnerability works and how organizations can defend against Citrix Bleed 2 attacks.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Citrix Bleed 2: CVE-2025-5777 Vulnerability Explained

Citrix NetScaler is a networking appliance that delivers application access across distributed enterprise environments. Originally developed to optimize traffic and improve the performance of web applications, NetScaler has evolved into a comprehensive solution for load balancing, SSL offloading, web application firewalling (WAF), secure remote access, and gateway functionalities such as VPN and ICA proxy for Citrix Virtual Apps and Desktops.

On June 17th, 2025, Citrix disclosed a critical pre-authentication memory leak vulnerability affecting Citrix NetScaler devices configured as a Gateway or AAA virtual server. CVE-2025-5777 is caused by insufficient input validation in how NetScaler processes HTTP POST requests to its authentication endpoint. Specifically, when an attacker submits a malformed login request that includes the login parameter without a value or equals sign, the backend C code responsible for parsing the request fails to safely initialize the corresponding variable. As a result, the system responds with residual stack memory data within an XML tag called <InitialValue>, leaking whatever uninitialized content was present in memory at that time.

CVE-2025-5777 has a CVSS score of 9.3 (Critical) and is named CitrixBleed 2 due to its striking similarity to the earlier CitrixBleed vulnerability

How Citrix NetScaler CVE-2025-5777 Exploit Works?

CVE-2025-5777 stems from how Citrix NetScaler handles login requests during the authentication process. Specifically, when a malformed HTTP POST request is sent to the authentication endpoint, the system fails to properly validate and initialize input from the login parameter [2]. If the request includes the login field without an equals sign or value, the backend interprets it as a valid field but leaves the associated memory uninitialized. The backend, written in C, then proceeds to handle this uninitialized variable as if it contained a legitimate username. Due to the absence of proper memory initialization, the system inadvertently includes leftover data from the stack in its response. This data leak occurs within the <InitialValue> tag of the XML response returned by the server. As a result, attackers can retrieve fragments of memory that may contain portions of previous HTTP requests, usernames, or other sensitive information.

The example HTTP POST request can be used to test memory leaks on vulnerable Citrix NetScaler devices. 

POST /p/u/doAuthentication.do HTTP/1.0 

Host: <Vulnerable_Citrix_NetScaler_Device>

User-Agent: PicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicusPicus

Content-Length: 5 

Connection: keep-alive  


login

Citrix Bleed 2 CVE-2025-5777 Vulnerability Exploit

How Picus Helps Simulate Citrix Bleed 2 CVE-2025-5777 Attacks?

We also strongly suggest simulating the Citrix Bleed 2 CVE-2025-5777 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Citrix Bleed 2 CVE-2025-5777 vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

67234

Citrix Web Attack Campaign

Web Application

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Security Validation Platform.

References

[1] "NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-5349 and CVE-2025-5777." Available: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420

[2] S. Kheirkhah, "How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777)," watchTowr Labs, Jul. 04, 2025. Available: https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/

Table of Contents