Security researchers at WatchTowr have published comprehensive technical details and a detection script to help organizations identify exploitation attempts targeting the recently disclosed CitrixBleed 2 vulnerability (CVE-2025-5777). This critical security flaw affects Citrix NetScaler ADC and Gateway devices and has raised significant concerns across the cybersecurity community due to its potential to expose sensitive information.
Understanding CitrixBleed 2
CitrixBleed 2 is a pre-authentication memory leak vulnerability that allows remote attackers to extract uninitialized memory content from vulnerable Citrix appliances. By sending specially crafted HTTP requests, threat actors can potentially obtain authentication tokens and other sensitive data.
WatchTowr’s Detection Approach
To assist defenders, WatchTowr has developed and released a detection script that enables security teams to proactively identify systems vulnerable to CitrixBleed 2. The detection method is both straightforward and effective:
- Detection Technique:
The script sends a specifically crafted HTTP POST request to the/p/u/doAuthentication.doendpoint of the target Citrix NetScaler device. The request includes a uniqueUser-Agentstring and a malformedloginparameter, intentionally omitting the equals sign and value. - Response Analysis:
- On a vulnerable system, the server responds with an XML payload containing an
<InitialValue>tag populated with uninitialized memory data. This may include sensitive information inadvertently leaked from the device’s memory. - On a patched or non-vulnerable system, the
<InitialValue>tag is empty, indicating that no memory leak has occurred.
- On a vulnerable system, the server responds with an XML payload containing an
Example Request and Response
Request:
POST /p/u/doAuthentication.do HTTP/1.0
Host: target
User-Agent: watchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowr
Content-Length: 5
Connection: keep-alive
login
Vulnerable Response:
<InitialValue>random_memory_data_here</InitialValue>
Patched Response:
<InitialValue></InitialValue>
Additional Detection and Forensic Guidance
In addition to the detection script, WatchTowr and the wider security community have provided further recommendations for defenders:
- Log Analysis:
Monitoring logs for unusually large HTTP responses from authentication endpoints and inspecting for unexpectedSet-Cookie: NSC_USER=headers can help identify exploitation attempts. - Sigma Rules:
Community-contributed Sigma rules are available to automate detection within Security Information and Event Management (SIEM) systems. - Forensic Review:
Reviewing/var/log/ns.logandHTTP_ACCESS.logon Citrix appliances may reveal abnormal request patterns or response sizes indicative of exploitation.
Recommendations
Organizations using Citrix NetScaler ADC and Gateway devices are strongly advised to:
- Immediately apply security patches provided by Citrix to address CVE-2025-5777.
- Leverage WatchTowr’s detection script and associated guidance to assess their environments for signs of exploitation.
- Monitor network and authentication logs for suspicious activity related to the vulnerability.
References
- WatchTowr Labs: Technical Analysis and Detection Script
- Picus Security: CVE-2025-5777 Explained
- GBHackers: CitrixBleed 2 PoC
- GitHub: CitrixBleed 2 PoC
