PoC Exploits Released for Critical Citrix Bleed 2 Vulnerability (CVE-2025-5777)
Proof-of-concept (PoC) exploits for a critical vulnerability in Citrix NetScaler ADC and NetScaler Gateway—dubbed Citrix Bleed 2—have been publicly released. Security researchers warn the flaw, tracked as CVE-2025-5777, is easily exploitable and can be used to steal user session tokens.
The vulnerability has drawn comparisons to Citrix Bleed (CVE-2023-4966), a notorious 2023 flaw that allowed unauthenticated attackers to hijack authentication session cookies on vulnerable Citrix appliances. The newly discovered issue bears striking similarities, prompting cybersecurity expert Kevin Beaumont to nickname it Citrix Bleed 2.
While Citrix has claimed there are no confirmed cases of in-the-wild exploitation, security firm ReliaQuest reported suspicious activity tied to the vulnerability as early as late June. Beaumont, who first spotlighted the new flaw, has directly challenged Citrix’s narrative.
"Citrix support is not sharing any indicators of compromise and is falsely claiming (once again, as with the original Citrix Bleed) that no exploits exist. Citrix needs to improve here—they are harming their customers," Beaumont wrote in a recent post.
Beaumont insists the vulnerability has been actively exploited since mid-June, with attackers using it to extract memory contents and hijack active sessions.
Technical Breakdown
CVE-2025-5777 is an out-of-bounds read vulnerability that affects NetScaler devices configured as gateways—including VPN virtual servers, ICA Proxy, Clientless VPN (CVPN), RDP Proxy, or AAA virtual servers. Attackers can exploit the flaw by sending malformed POST requests during login attempts, causing the device to leak memory contents.
Citrix has issued patches and strongly advises administrators to terminate all active ICA and PCoIP sessions after applying updates. This step is critical to prevent attackers from leveraging stolen session tokens—advice that mirrors guidance issued during the original Citrix Bleed incident.
Security researchers from watchTowr and Horizon3 have published in-depth technical analyses of the vulnerability. They found that the flaw is triggered when a malformed login request is submitted with the login= parameter missing the equals sign or value. This malformed input causes the NetScaler device to leak up to 127 bytes of memory in the <InitialValue></InitialValue> field of the response.
The underlying cause appears to be misuse of the snprintf function with a %.*s format specifier, which can lead to memory disclosure if input boundaries aren't properly checked. While each individual request leaks a limited amount of data, attackers can send multiple requests to collect larger amounts of memory.
Horizon3 released a demonstration video showing successful theft of session tokens using this technique. In contrast, researchers at watchTowr were unable to replicate token extraction, underscoring variability in exploitability depending on environment and configuration.
Conclusion
Although Citrix maintains that there are no confirmed attacks involving Citrix Bleed 2, mounting evidence from researchers suggests otherwise. As PoC code circulates online and attackers grow increasingly opportunistic, organizations using affected NetScaler devices should apply patches immediately and follow session termination guidance to mitigate risk.
