{"id":3893,"date":"2025-07-09T23:37:37","date_gmt":"2025-07-09T23:37:37","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3893"},"modified":"2025-07-09T23:37:37","modified_gmt":"2025-07-09T23:37:37","slug":"exploit-details-released-for-citrix-bleed-2-flaw-affecting-netscaler","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3893","title":{"rendered":"Exploit details released for Citrix Bleed 2 flaw affecting NetScaler"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Security researchers have released a technical analysis and proof-of-concept exploit code for a critical vulnerability fixed last month in Citrix NetScaler appliances that is suspected to have been exploited in the wild, though in a limited capacity and without official confirmation from Citrix. Companies are urged to deploy the patches and use published indicators of compromise (IoCs) to check their appliances for signs of breach.<\/p>\n

The vulnerability, tracked as CVE-2025-5777<\/a> and dubbed Citrix Bleed 2 in the security community, was patched on June 17 alongside another high-risk flaw identified as CVE-2025-5349<\/a>. Although the initial advisory doesn\u2019t mention in-the-wild exploitation and hasn\u2019t been updated since, researchers from security firm ReliaQuest reported on June 26 that they believe with medium confidence that attackers are already exploiting the vulnerability<\/a> to bypass authentication and multifactor authentication.<\/p>\n

Vulnerability confusion<\/h2>\n

Meanwhile, a third Citrix vulnerability was patched on June 25, tracked as CVE-2025-6543<\/a> for which there are signs of active exploitation, according to Citrix\u2019s Cloud Software Group, which manages NetScaler.<\/a><\/p>\n

This has caused confusion in the security community as to which flaw is being targeted by attackers, CVE-2025-5777 or CVE-2025-6543, or both. IoCs for CVE-2025-6543 are available on request from the Citrix Cloud Software Group, but there has been no such information for CVE-2025-5777 until this week, given that Citrix hasn\u2019t seen any evidence of active exploits.<\/p>\n

Researchers from security firms watchTowr and Horizon3.ai have independently reverse-engineered the patches and have published analyses and IoCs for the vulnerability they believe to be CVE-2025-5777, with the goal of helping organizations develop detections amid the confusion.<\/p>\n

\u201cWe have been actively engaged behind the scenes, sharing information and reproducers with the watchTowr Platform user base, who rely on our technology to rapidly determine their exposure, and numerous industry bodies to do our part in a broader global response,\u201d researchers from watchTowr wrote in their in-depth report<\/a>. \u201cWe have been led to believe that information sharing in the form of IoCs, exploitation artefacts, and more items that would be helpful for Citrix NetScaler end users has been \u2026 \u2018minimal,\u2019 which puts these users in a tough position when determining if they need to sound an internal alarm.\u201d<\/p>\n

In a separate report, researchers from Horizon3 said<\/a>: \u201cWhile we\u2019ve developed a working exploit for one of these issues\u2026 it\u2019s kinda hard to know which is which given the sparse technical details in the advisories. That said, based on the descriptions of the issues, the similarities to Citrix Bleed, and the versions of Citrix NetScaler available to us for testing, we believe we\u2019ve developed a working exploit for CVE-2025-5777. It\u2019s also totally possible we\u2019ve stumbled upon some other related issue that was inadvertently patched in these releases.\u201d<\/p>\n

Similarities to the original Citrix Bleed<\/h2>\n

CVE-2025-5777 has been dubbed Citrix Bleed 2 due to its similarities to a zero-day information disclosure vulnerability fixed in October 2023<\/a> (CVE-2023-4966<\/a>) that received the Citrix Bleed moniker because it enabled attackers to leak session tokens from memory, allowing for session takeover with multifactor authentication bypass.<\/p>\n

Similarly, CVE-2025-5777 can lead to a memory overread condition through crafted HTTP requests sent to a specific web application endpoint called doAuthentication.do. This leaks internal memory, 127 bytes at a time, which could contain authentication tokens and other sensitive information.<\/p>\n

During their testing, the watchTowr researchers didn\u2019t manage to find any authentication cookies, session IDs, or passwords in the leaked content, but noted that on a production appliance with more user connections, things will likely be different. Meanwhile the Horizon3 researchers did obtain legitimate user session tokens by running the exploit for longer on their test appliance.<\/p>\n

\u201cThis isn\u2019t just limited to endpoints accessible to normal users,\u201d the Horizon3 researchers wrote. \u201cThe configuration utilities administrators use to manage NetScaler Gateway endpoints ALSO utilize this memory space, meaning those tokens are vulnerable to theft as well.\u201d<\/p>\n

The flaw affects NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) when configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication authorization and auditing (AAA) server. There are no manual work-arounds or mitigations aside from applying the patches. Organizations who haven\u2019t updated yet should deploy the latest available builds for their release branches, which will include fixes for the confirmed actively exploited CVE-2025-6543 vulnerability as well.<\/p>\n

Detecting compromise<\/h2>\n

In terms of IoCs, the Horizon3 researchers advise searching ns.log for log entries with non-printable characters, which can be a good indicator that something is not right.<\/p>\n

\u201cThe Citrix advisory recommends terminating existing ICA and PCoIP sessions, which leads us to believe that endpoints related to those features are being targeted,\u201d the Horizon3 researchers concluded. \u201cEntries for those logs may similarly contain contents of leaked memory, which may or may not include session tokens.\u201d<\/p>\n

Administrators are also advised to audit all active sessions on their appliances, which can be done from the interface at \u201cNetScaler Gateway -> Active User Sessions -> Select applicable context -> Continue\u201d or from the command line with the show sessions or show <service> session commands.<\/p>\n

If an appliance is compromised, attackers are likely to add backdoor accounts, dump and modify the appliance configuration with persistence mechanisms, and deploy remote access tools \u2014 all actions taken during the original Citrix Bleed exploitation as well.<\/p>\n

Such modifications should be captured by logs, but the researchers warn that if admin sessions or credentials are compromised, the attackers would have access to modify logging configurations.<\/p>\n

\u201cIf configuration backups are in place, showing the current running config via show ns runningConfig -withDefaults and comparing it to a known good back up with some sort of diffing utility (such as via diff -u backup.config current.config) is a good starting point,\u201d the Horizon3 researchers said.<\/p>\n

Meanwhile, watchTowr reseachers released proof-of-concept HTTP requests and responses that can be used to build scanning scripts to determine the exploitability of NetScaler appliances against this flaw.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Security researchers have released a technical analysis and proof-of-concept exploit code for a critical vulnerability fixed last month in Citrix NetScaler appliances that is suspected to have been exploited in the wild, though in a limited capacity and without official confirmation from Citrix. Companies are urged to deploy the patches and use published indicators of […]<\/p>\n","protected":false},"author":0,"featured_media":3894,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3893","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3893"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3893"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3893\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3894"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3893"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}