Security researchers have released a technical analysis and proof-of-concept exploit code for a critical vulnerability fixed last month in Citrix NetScaler appliances that is suspected to have been exploited in the wild, though in a limited capacity and without official confirmation from Citrix. Companies are urged to deploy the patches and use published indicators of compromise (IoCs) to check their appliances for signs of breach.

The vulnerability, tracked as CVE-2025-5777 and dubbed Citrix Bleed 2 in the security community, was patched on June 17 alongside another high-risk flaw identified as CVE-2025-5349. Although the initial advisory doesn’t mention in-the-wild exploitation and hasn’t been updated since, researchers from security firm ReliaQuest reported on June 26 that they believe with medium confidence that attackers are already exploiting the vulnerability to bypass authentication and multifactor authentication.

Vulnerability confusion

Meanwhile, a third Citrix vulnerability was patched on June 25, tracked as CVE-2025-6543 for which there are signs of active exploitation, according to Citrix’s Cloud Software Group, which manages NetScaler.

This has caused confusion in the security community as to which flaw is being targeted by attackers, CVE-2025-5777 or CVE-2025-6543, or both. IoCs for CVE-2025-6543 are available on request from the Citrix Cloud Software Group, but there has been no such information for CVE-2025-5777 until this week, given that Citrix hasn’t seen any evidence of active exploits.

Researchers from security firms watchTowr and Horizon3.ai have independently reverse-engineered the patches and have published analyses and IoCs for the vulnerability they believe to be CVE-2025-5777, with the goal of helping organizations develop detections amid the confusion.

“We have been actively engaged behind the scenes, sharing information and reproducers with the watchTowr Platform user base, who rely on our technology to rapidly determine their exposure, and numerous industry bodies to do our part in a broader global response,” researchers from watchTowr wrote in their in-depth report. “We have been led to believe that information sharing in the form of IoCs, exploitation artefacts, and more items that would be helpful for Citrix NetScaler end users has been … ‘minimal,’ which puts these users in a tough position when determining if they need to sound an internal alarm.”

In a separate report, researchers from Horizon3 said: “While we’ve developed a working exploit for one of these issues… it’s kinda hard to know which is which given the sparse technical details in the advisories. That said, based on the descriptions of the issues, the similarities to Citrix Bleed, and the versions of Citrix NetScaler available to us for testing, we believe we’ve developed a working exploit for CVE-2025-5777. It’s also totally possible we’ve stumbled upon some other related issue that was inadvertently patched in these releases.”

Similarities to the original Citrix Bleed

CVE-2025-5777 has been dubbed Citrix Bleed 2 due to its similarities to a zero-day information disclosure vulnerability fixed in October 2023 (CVE-2023-4966) that received the Citrix Bleed moniker because it enabled attackers to leak session tokens from memory, allowing for session takeover with multifactor authentication bypass.

Similarly, CVE-2025-5777 can lead to a memory overread condition through crafted HTTP requests sent to a specific web application endpoint called doAuthentication.do. This leaks internal memory, 127 bytes at a time, which could contain authentication tokens and other sensitive information.

During their testing, the watchTowr researchers didn’t manage to find any authentication cookies, session IDs, or passwords in the leaked content, but noted that on a production appliance with more user connections, things will likely be different. Meanwhile the Horizon3 researchers did obtain legitimate user session tokens by running the exploit for longer on their test appliance.

“This isn’t just limited to endpoints accessible to normal users,” the Horizon3 researchers wrote. “The configuration utilities administrators use to manage NetScaler Gateway endpoints ALSO utilize this memory space, meaning those tokens are vulnerable to theft as well.”

The flaw affects NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) when configured as a gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication authorization and auditing (AAA) server. There are no manual work-arounds or mitigations aside from applying the patches. Organizations who haven’t updated yet should deploy the latest available builds for their release branches, which will include fixes for the confirmed actively exploited CVE-2025-6543 vulnerability as well.

Detecting compromise

In terms of IoCs, the Horizon3 researchers advise searching ns.log for log entries with non-printable characters, which can be a good indicator that something is not right.

“The Citrix advisory recommends terminating existing ICA and PCoIP sessions, which leads us to believe that endpoints related to those features are being targeted,” the Horizon3 researchers concluded. “Entries for those logs may similarly contain contents of leaked memory, which may or may not include session tokens.”

Administrators are also advised to audit all active sessions on their appliances, which can be done from the interface at “NetScaler Gateway -> Active User Sessions -> Select applicable context -> Continue” or from the command line with the show sessions or show <service> session commands.

If an appliance is compromised, attackers are likely to add backdoor accounts, dump and modify the appliance configuration with persistence mechanisms, and deploy remote access tools — all actions taken during the original Citrix Bleed exploitation as well.

Such modifications should be captured by logs, but the researchers warn that if admin sessions or credentials are compromised, the attackers would have access to modify logging configurations.

“If configuration backups are in place, showing the current running config via show ns runningConfig -withDefaults and comparing it to a known good back up with some sort of diffing utility (such as via diff -u backup.config current.config) is a good starting point,” the Horizon3 researchers said.

Meanwhile, watchTowr reseachers released proof-of-concept HTTP requests and responses that can be used to build scanning scripts to determine the exploitability of NetScaler appliances against this flaw.

By

Leave a Reply

Your email address will not be published. Required fields are marked *