Hackers Actively Exploiting CitrixBleed 2 Vulnerability in the Wild
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Researchers have observed widespread exploitation attempts targeting a critical memory disclosure vulnerability in Citrix NetScaler devices, designated as CVE-2025-5777 and dubbed \u201cCitrixBleed 2<\/a>.\u201d\u00a0<\/p>\n This pre-authentication flaw enables attackers to craft malicious requests that leak uninitialized memory from affected NetScaler ADC and Gateway devices, potentially exposing sensitive data, including session tokens, passwords, and configuration values.\u00a0<\/p>\n The vulnerability has prompted immediate security responses from organizations worldwide, with over 200,000 scanning attempts detected within days of the proof-of-concept disclosure.<\/p>\n The CitrixBleed 2 vulnerability stems from improper memory handling in the authentication function of Citrix NetScaler devices.\u00a0<\/p>\n The flaw exploits an uninitialized login variable combined with inadequate input validation and missing error handling in the authentication logic.\u00a0<\/p>\n Since the underlying code is written in C\/C++, which doesn\u2019t automatically initialize variables, attackers can access random stack memory containing leftover data from previous operations.<\/p>\n The vulnerability affects multiple NetScaler versions, including NetScaler ADC and Gateway<\/a> 14.1 before 14.1-43.56, version 13.1 before 13.1-58.32, NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.235-FIPS, and NetScaler ADC 12.1-FIPS before 12.1-55.328-FIPS.\u00a0<\/p>\n The attack targets the URL path \/p\/u\/doAuthentication.do and requires no authentication, making it particularly accessible to threat actors.<\/p>\n Attackers exploit this vulnerability through a systematic approach involving reconnaissance, enumeration, and repeated exploitation attempts.\u00a0<\/p>\n The attack begins with scanning for exposed Citrix NetScaler instances, followed by version verification to identify vulnerable targets.\u00a0<\/p>\n The actual exploit involves sending crafted POST requests to the \/p\/u\/doAuthentication.do endpoint with an unusually large User-Agent header containing recognizable patterns.<\/p>\n The technique earned the \u201cCitrixBleed<\/a>\u201d moniker because attackers can repeatedly trigger memory leaks by sending identical payloads, with each attempt exposing new chunks of stack memory.\u00a0<\/p>\n The oversized User-Agent header injects distinctive markers like \u201cTHR-WAF-RESEARCH\u201d into the stack, which subsequently appear within <InitialValue> XML tags in HTTP responses, confirming successful memory disclosure and revealing sensitive information.<\/p>\n Akamai\u2019s security team has responded to the threat by releasing Rapid Rule 3000967 through their App & API Protector platform.<\/p>\n Initially deployed with an \u201cAlert\u201d action on July 7, 2025, the rule was upgraded to \u201cDeny\u201d status the following day after validation.<\/p>\n Security researchers observed significant scanning activity beginning July 8, 2025, with over 200,000 POST requests targeting the vulnerable endpoint across multiple hostnames and IP addresses.\u00a0<\/p>\n This large-scale scanning represents organized attempts to identify vulnerable NetScaler instances for potential exploitation.\u00a0<\/p>\n Organizations are strongly advised to patch affected devices immediately and implement additional monitoring for indicators of compromise, as the vulnerability\u2019s pre-authentication nature and public proof-of-concept<\/a> availability create substantial risk exposure.<\/p>\n Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now<\/strong><\/a>\u00a0<\/p>\n The post Hackers Actively Exploiting CitrixBleed 2 Vulnerability in the Wild<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKey Takeaways<\/strong>
1. CVE-2025-5777 affects Citrix NetScaler devices, allowing unauthenticated attackers to leak sensitive memory data including session tokens and passwords.
2. Over 200,000 scanning attempts were detected targeting vulnerable endpoints, indicating widespread threat actor activity.
3. Attackers send crafted requests with large User-Agent headers to trigger continuous memory leaks from the same target.
4. Organizations must immediately patch affected NetScaler versions and implement Akamai's protective rules due to public exploit availability.<\/pre>\nCitrixBleed 2 Vulnerability (CVE-2025-5777)<\/strong><\/h2>\n
\n\n
\n Risk Factors<\/strong><\/td>\n Details<\/strong><\/td>\n<\/tr>\n \n Affected Products<\/td>\n \u2013 NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32- NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP- NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS<\/td>\n<\/tr>\n \n Impact<\/td>\n Memory disclosure of uninitialized stack memory<\/td>\n<\/tr>\n \n Exploit Prerequisites<\/td>\n \u2013 No authentication required (pre-authentication flaw)- Network access to target NetScaler device- Ability to send HTTP POST requests- Target endpoint: \/p\/u\/doAuthentication.do- No prior conditions or special privileges needed<\/td>\n<\/tr>\n \n CVSS 3.1 Score<\/td>\n 7.5 (High)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Mitigation Measures<\/strong><\/h2>\n