PoC Exploits Released for CitrixBleed2: 127 Bytes Exfiltrated Per Request

Security researchers have released proof-of-concept exploits for CVE-2025-5777, a critical vulnerability in Citrix NetScaler ADC and Gateway devices dubbed “CitrixBleed2.”

The flaw allows unauthenticated attackers to extract sensitive data from device memory, including session tokens that can be used to bypass multi-factor authentication.

Vulnerability Details and Impact

CVE-2025-5777 is a memory disclosure vulnerability with a CVSS score of 9.3 that affects NetScaler devices configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual servers.

The vulnerability stems from insufficient input validation in HTTP POST request processing, specifically when malformed login requests are submitted without proper parameters.

The exploit works by targeting the /p/u/doAuthentication.do endpoint with specially crafted requests where the login parameter is sent without an equal sign or value.

This causes the NetScaler appliance to respond with approximately 127 bytes of arbitrary memory data per request, which can include session tokens ...