Researchers have released proof-of-concept (PoC) exploits for a critical Citrix NetScaler vulnerability, tracked as CVE-2025-5777 and dubbed CitrixBleed2, warning that the flaw is easily exploitable and can successfully steal user session tokens.
The CitrixBleed 2 vulnerability, which affects Citrix NetScaler ADC and Gateway devices, allows attackers to retrieve memory contents simply by sending malformed POST requests during login attempts.
This flaw is named CitrixBleed2 as it closely resembles the original CitrixBleed (CVE-2023-4966) bug from 2023, which was exploited by ransomware gangs and in attacks on governments to hijack user sessions and breach networks.
In technical analyses first released by watchTowr and then Horizon3, researchers confirmed that the vulnerability can be exploited by sending an incorrect login request, where the login= parameter is modified so it's sent without an equal sign or value.
This causes the NetScaler appliance to display the memory contents up to the first null character in the
Reading data from memory with a malformed NetScaler login request
Source: WatchTowr
The flaw is caused by the use of the snprintf function along with a format string containing the %.*s format string.
"The %.*s format tells snprintf: “Print up to N characters, or stop at the first null byte (\\0) - whichever comes first.” That null byte eventually appears somewhere in memory, so while the leak doesn’t run indefinitely, you still get a handful of bytes with each invocation," explains watchTowr's report.
"So, every time you hit that endpoint without the =, you pull more uninitialized stack data into the response."
... continue reading