CitrixBleed 2: CVE-2025-5777 Joins CISA’s KEV Catalog Amid Active Exploitation Storm, PoC Available

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2025-5777 to its Known Exploited Vulnerabilities (KEV) catalog, confirming what many in the infosec community already feared: this new Citrix NetScaler flaw is actively under attack in the wild.

Dubbed “CitrixBleed 2” by cybersecurity researcher Kevin Beaumont, this out-of-bounds memory read vulnerability is already making waves across enterprise networks—echoing the damage caused by its predecessor CVE-2023-4966, which fueled ransomware attacks and nation-state intrusions.

This flaw presents a critical risk, potentially enabling attackers to compromise sensitive data such as session tokens and credentials from exposed gateways and virtual servers.

At its core, CVE-2025-5777 is a vulnerability triggered by improper handling of login requests on Citrix NetScaler ADC and Gateway appliances. The issue resides in the way NetScaler processes requests when the login parameter is malformed—specifically, when it is sent without an equal sign or value.

This triggers a flaw in the use of the snprintf function and the %.*s format specifier:

“The %.*s format tells snprintf: ‘Print up to N characters, or stop at the first null byte (\0)—whichever comes first.’”

The result? Uninitialized memory is inadvertently leaked back to the user via the <InitialValue> tag in the server response.

This vulnerability affects NetScaler devices configured as a Gateway or AAA virtual server, such as:

• VPN Virtual Server
• ICA Proxy
• Clientless VPN (CVPN)
• RDP Proxy

By repeatedly exploiting the flaw, attackers can extract 127 bytes per request, according to researchers at Horizon3. This drip-feed of memory may contain session tokens, usernames, passwords, or other sensitive artifacts—just enough to escalate to full session hijacking or lateral movement.

While early experiments by WatchTowr could not successfully leak session tokens, Horizon3 demonstrated live exploitation, successfully extracting valid credentials via video walkthroughs. As with CitrixBleed, it’s only a matter of time before ransomware groups and APTs weaponize this technique across government, healthcare, and finance sectors.

Citrix has released patched versions of affected products:

• NetScaler ADC and Gateway 14.1-43.56
• 13.1-58.32 and later
• 13.1-NDcPP 13.1-37.235 (FIPS)
• 12.1-55.328 (FIPS)

The threat is so severe that CISA has mandated all Federal Civilian Executive Branch (FCEB) agencies to patch by July 11, 2025.

Related Posts:

• Citrix Bleed 2: ReliaQuest Warns of Active Exploitation in NetScaler Gateway Vulnerability
• Citrix Alerts on Global Password Spraying Campaigns Targeting NetScaler Appliances
• Urgent Citrix NetScaler Alert: Critical Memory Overflow Flaw (CVE-2025-6543, CVSS 9.2) Actively Exploited
• Citrix NetScaler Under Siege: Significant Increase in Brute Force Attacks Observed
• CVE-2024-6235: NetScaler Console Flaw Enables Admin Access, PoC Publishes