Researchers have issued a proof-off-concept (POC) exploitation for an important Citrix Netscaler vulnerability, which has been tracked as CVE-2025-5777 and dubbed Citrixbleed2, warning that defects are easily exploited and successfully can steal user sessions.
Citrixbleed 2 vulnerability, which affects the Citrix Netscaler Adc and Gateway devices, allows the attackers to rebuild the memory material only by sending post requests during login efforts.
This important defect has been named Citrixbleed2 as it is similar to the original Citrixbleed (CVE-2023-4966) from 2023, which was exploited by ransomware gangs and user sessions and violations network in attacks on governments.
In technical analysis issued by the Watchtower and then Horizon 3, the researchers confirmed that the vulnerability could be exploited by sending a wrong login request, where the login = parameters are modified, so it is sent without a uniform signal or value.
This causes the Netscaler tool to display the memory material up to the first disabled character.
Source: Watchtower
Causes of the use of defects snprintf A format acts with string %.*s Drafting string.
” %.*The format of*explains the SNPRINTF:” print the characters, or stop at the first disabled byte (\\ 0) – whatever comes first. “This disabled byte eventually appears somewhere in the memory, so when the leak does not last indefinitely, you still get a handful of bytes with each call,” tell Watchtower report,
“So, every time you kill that endpoint without any =, you draw more uninitialized stack data in response.”
As Horizon 3Each request leakes about 127 bytes of data from data, allowing the attackers to repeatedly request HTTP to extract additional memory materials, unless they find sensitive data.
While the Watchtower’s efforts failed, the horizon 3 displays in the video below that they can take advantage of this defect for stealing user sessions tokens.
In addition to Netscaler & Points, Horizon3 suggests that defects against the configuration utilities used by the administrators can also be exploited.
Exploited or not?
Citrix continues to explain that the defect is not being actively exploited, and when the Bleeping Computper first inquired about its situation, the company referred to us to one blog post About vulnerability.
“Currently, there is no evidence to suggest exploitation Cve-2025-5777“Reads blog posts.
However, the June 1 report by the cyber security firm Rliaquest indicates that there is evidence that the CVE-2025-5777 attacks can be exploited in the attacks, seeing the user session with the company to increase in disrespect.
In addition, security researchers Kevin Buumont disputed Citrix’s statementSaying that vulnerability has been actively exploited since mid -June, the attackers have taken advantage of the bug to dump the bug with memory and hijack sessions.
He highlighted the following indicators of the agreement:
- In Netscaler Log, frequent post request * Doauthentication * – Every 126 bytes yield Ram
- In Netscaler log, requests for doauthentication.do with “content-length: 5”.
- Netscaler user in log,*logoff*and lines with the user = “* #*” (ie # symbol in the user name). Rama is played in the wrong field.
The Beomont warned, “I was able to find exploitation activity only because of the watchtower and horizon 3 right ups.”
“Citrix support would not disclose any IOCS and was incorrectly claimed (again – with Citrixbleed) that there was no exploitation (was) in the wild. Citrix has become better on it, they are harming customers.”
Citrix has issued patches to address the CVE-2025-5777, and all organizations are strongly urged to implement them immediately that public exploitation is available.
While Citrix recommends abolishing all active ICA and PCOIP sessions, administrators should review existing sessions for any suspicious activity before doing so.
While cloud attacks can be more sophisticated, the attackers still succeed with surprisingly simple techniques.
Drawing by the detection of Vij in thousands of organizations, this report reveals the 8 major techniques used by Claude-Floid danger actors.
