CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks

Posted on

The cybersecurity community is once again sounding the alarm over a new vulnerability in Citrix NetScaler devices- this time, it’s CVE-2025-5777, also dubbed CitrixBleed 2. Following in the footsteps of the high-profile CitrixBleed vulnerability (CVE-2023-4966) disclosed in 2023, this newly discovered flaw allows attackers to exploit NetScaler devices to leak sensitive memory content, potentially including session tokens, credentials, or even administrative secrets. 

In this blog, we’ll explain how this vulnerability works, what we’ve seen so far in the wild, and how organizations using Imperva solutions are already protected. 

What Is CVE-2025-5777 and How Does It Work?

CVE-2025-5777 is a pre-authentication remote memory disclosure vulnerability affecting Citrix NetScaler ADC and Gateway appliances. Assigned a CVSS score of 9.3, this vulnerability enables attackers to leak sensitive memory content by sending specially crafted HTTP requests to a vulnerable Citrix endpoint.

At the heart of the flaw is a programming error related to uninitialized memory usage. Specifically, the vulnerability resides in the /p/u/doAuthentication.do endpoint, which handles authentication requests on NetScaler appliances. By sending a malicious HTTP POST request that includes the login parameter, without an accompanying value or equals sign, attackers can trigger the vulnerability.

Here’s how it works in practice:

  1. An attacker sends an HTTP POST request to /p/u/doAuthentication.do with a malformed login parameter (e.g., login without an equals sign).
  2. Due to improper handling of this malformed input, Citrix NetScaler fails to initialize a memory variable correctly.
  3. The response from the server, which contains XML-formatted data, leaks leftover stack memory content within the <InitialValue> XML element.

Each request can leak around 127 bytes of memory from the stack, including potentially sensitive information such as:

  • Session cookies
  • Authentication tokens (including nsroot admin tokens)
  • User credentials in plaintext
  • Other residual in-memory data

The attack is highly repeatable. Attackers can continuously send malicious requests to slowly leak large amounts of memory, harvesting critical information over time.

Security researchers have demonstrated successful exploitation using publicly available proof-of-concept tools, and the vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog, meaning it is already under active exploitation in the wild.

What We’ve Seen So Far

Since the disclosure of CVE-2025-5777, we have observed increasing attack activity targeting potentially vulnerable Citrix NetScaler instances worldwide. Attackers appear to be scanning extensively for exposed appliances and attempting to exploit the memory leak vulnerability to harvest sensitive data.

Here’s what we’ve seen so far:

  • Over 11.5 million attack attempts, targeting thousands of sites.
  • Almost 40% of attacks targeting sites in the Financial Services industry.

Screenshot 2025 07 11 at 10.33.35 AM 1

  • The US, Japan, and Spain collectively accounting for over 75% of attacks.

Screenshot 2025 07 11 at 10.33.43 AM 1

Many of these attacks are opportunistic, leveraging automated tools to indiscriminately scan large sections of the internet.

Imperva Customers Are Protected

Organizations protected by Imperva can rest assured that they’re already safeguarded against CVE-2025-5777 attacks, as well as the original Citrix Bleed vulnerability CVE-2023-4966.

Our Web Application Firewall (WAF) and API Security solutions include protections that detect and block malicious requests attempting to exploit this memory disclosure vulnerability. Specifically, our threat research team has deployed targeted signatures that:

  • Detect malformed HTTP POST requests to the vulnerable Citrix endpoint.
  • Identify unusual requests attempting to trigger memory leaks through missing or malformed parameters.
  • Block known exploitation patterns based on proof-of-concept tools and in-the-wild attack traffic.

Additionally, we are continuously monitoring for new variants of this attack. If attackers modify their techniques or delivery mechanisms, Imperva customers will receive updates automatically.

Recommendations and Next Steps

If your organization uses Citrix NetScaler ADC or Gateway appliances, we strongly recommend the following actions:

  1. Apply Citrix patches immediately. Citrix has released security updates to address CVE-2025-5777—patching is the most effective long-term solution.
  2. Ensure your Imperva WAF is up-to-date and in blocking mode. Imperva CWAF customers and WAF GW with Threat Radar customers have the rule updated automatically; other WAF GW customers will have it available in the next ADC content.
  3. Review security logs for indicators of exploit attempts. Monitoring WAF and application logs can help detect past exploitation attempts.

Closing Thoughts

CVE-2025-5777 serves as another stark reminder of the risks posed by edge devices and authentication systems exposed to the internet. Memory disclosure vulnerabilities like this one can be just as damaging as remote code execution, especially when sensitive tokens and credentials are at stake.

All organizations running Citrix NetScaler solutions should take immediate action, but for Imperva customers, the good news is that protections are already in place. Our WAF and API Security solutions will continue to block exploit attempts while customers work to patch affected systems.

The post CVE-2025-5777 Exposes Citrix NetScaler to Dangerous Memory Leak Attacks appeared first on Blog.

Related Posts