CVE-2025-5777

Name of the Vulnerable Software and Affected Versions Citrix NetScaler ADC versions prior to 14.1-43.56 Citrix NetScaler ADC versions prior to 13.1-58.32 Citrix NetScaler Gateway versions prior to 14.1-43.56 Citrix NetScaler Gateway versions prior to 13.1-58.32

Description Insufficient input validation leads to an out-of-bounds memory overread when the system is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. This issue, dubbed CitrixBleed 2, allows unauthenticated remote attackers to leak sensitive information from the device memory, including session tokens, API keys, and login credentials. Exploitation can enable session hijacking, multi-factor authentication (MFA) bypass, and unauthorized access to sensitive data. Real-world impact includes over 11.5 million attack attempts and a significant breach at the Pennsylvania Attorney General's office where 5.7TB of data was stolen. Technical exploitation involves sending malformed POST requests to endpoints such as '/p/u/doAuthentication.do' or '/nf/auth/doAuthentication.do' using the login parameter without an equals sign or value.

Recommendations Update NetScaler ADC and Gateway to versions 14.1-43.56 or later. Update NetScaler ADC and Gateway to versions 13.1-58.32 or later. Terminate all active ICA and PCoIP sessions after applying patches to prevent hijacked sessions from persisting. As a temporary mitigation, use a Web Application Firewall (WAF) to block POST requests to the '/p/u/doAuthentication.do' endpoint that contain only the login parameter without a value.