A critical security flaw, designated as CVE-2025-5777 and colloquially known as CitrixBleed 2, has been identified in Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices. This vulnerability is currently being actively exploited by malicious actors, posing significant risks to organizations worldwide.
Understanding the ‘CitrixBleed 2’ Vulnerability
The CitrixBleed 2 vulnerability arises from improper memory handling within the authentication processes of Citrix NetScaler devices. Specifically, the flaw involves an uninitialized login variable coupled with inadequate input validation and insufficient error handling in the authentication logic. Given that the underlying code is written in C/C++, which does not automatically initialize variables, attackers can access random stack memory containing residual data from previous operations.
This pre-authentication flaw allows unauthenticated attackers to craft malicious requests that leak uninitialized memory from affected NetScaler ADC and Gateway devices. The leaked data may include sensitive information such as session tokens, passwords, and configuration values, potentially enabling attackers to hijack user sessions and bypass multi-factor authentication (MFA).
Affected Versions and Configurations
The vulnerability impacts multiple versions of NetScaler ADC and Gateway devices, including:
– NetScaler ADC and Gateway 14.1 before 14.1-43.56
– NetScaler ADC and Gateway 13.1 before 13.1-58.32
– NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.235-FIPS
– NetScaler ADC 12.1-FIPS before 12.1-55.328-FIPS
Devices configured as Gateway services—including VPN virtual servers, ICA Proxy, Clientless VPN (CVPN), RDP Proxy, or AAA virtual servers—are particularly susceptible. The attack targets the URL path `/p/u/doAuthentication.do` and requires no authentication, making it especially accessible to threat actors.
Exploitation Techniques
Attackers exploit this vulnerability through a systematic approach involving reconnaissance, enumeration, and repeated exploitation attempts:
1. Reconnaissance and Enumeration: Attackers scan for exposed Citrix NetScaler instances and verify their versions to identify vulnerable targets.
2. Exploitation: Malicious actors send crafted POST requests to the `/p/u/doAuthentication.do` endpoint with an unusually large User-Agent header containing recognizable patterns. This technique, dubbed CitrixBleed, allows attackers to repeatedly trigger memory leaks by sending identical payloads, with each attempt exposing new chunks of stack memory. The oversized User-Agent header injects distinctive markers like THR-WAF-RESEARCH into the stack, which subsequently appear within `
Indicators of Compromise
Security researchers have observed significant scanning activity beginning July 8, 2025, with over 200,000 POST requests targeting the vulnerable endpoint across multiple hostnames and IP addresses. This large-scale scanning represents organized attempts to identify vulnerable NetScaler instances for potential exploitation.
Indicators of compromise include:
– Hijacked Citrix web sessions indicating successful MFA bypass attempts.
– Session reuse across multiple IP addresses, including suspicious ones.
– LDAP queries linked to Active Directory reconnaissance activities.
– Use of tools like ADExplorer64.exe to map out Active Directory structures.
– Citrix sessions originating from data center IPs associated with consumer VPN providers, suggesting attacker obfuscation via anonymized infrastructure.
Mitigation Measures
Organizations are strongly advised to take the following immediate actions:
1. Patch Affected Devices: Apply the latest security updates provided by Citrix to remediate the vulnerability.
2. Terminate Active Sessions: After installing the latest firmware, administrators should terminate all active ICA and PCoIP sessions, as they may have already been hijacked. Before terminating active sessions, administrators should review them for suspicious activity using the `show icaconnection` command and NetScaler Gateway > PCoIP > Connections. After reviewing the active sessions, administrators can then terminate them using the following commands:
“`
kill icaconnection -all
kill pcoipconnection -all
“`
3. Implement Protective Rules: Akamai’s security team has released Rapid Rule 3000967 through their App & API Protector platform. Initially deployed with an Alert action on July 7, 2025, the rule was upgraded to Deny status the following day after validation.
4. Monitor for Indicators of Compromise: Implement additional monitoring for indicators of compromise, as the vulnerability’s pre-authentication nature and public proof-of-concept availability create substantial risk exposure.
5. Restrict External Access: If immediate installation of security updates is not possible, it is recommended that external access to NetScaler be limited via network ACLs or firewall rules.
Conclusion
The CitrixBleed 2 vulnerability poses a significant threat to organizations utilizing Citrix NetScaler ADC and Gateway devices. Given the active exploitation of this flaw, it is imperative for organizations to promptly apply security patches, terminate active sessions, and implement protective measures to safeguard their systems against potential attacks.
