In July 2025, a proof-of-concept (PoC) code for a memory leak vulnerability (CVE-2025-5777) affecting Citrix NetScaler ADC and Gateway appliances was publicly released. Since then, exploitation attempts targeting these devices have increased significantly worldwide. This vulnerability poses a significant risk as it allows unauthorized attackers to leak sensitive information directly from memory, similar to the widely exploited CitrixBleed vulnerability (CVE-2023-4966) from the previous year.
Citrix NetScaler is widely used in enterprise and government environments as both an SSL VPN and Application Delivery Controller (ADC). This vulnerability could expose sensitive data, including user session tokens, authentication credentials, and API keys.
Vulnerability Overview: CVE-2025-5777 (Citrix NetScaler Memory Leak & Authentication Flaw)
- Vulnerability : CVE-2025-5777 (CitrixBleed2)
- Affected Products: Citrix NetScaler ADC / Gateway
- Type: Unauthorized Memory Exposure (Memory Leak)
- PoC: Publicly released (GitHub)
- Attack Method: Attackers can manipulate authentication request formats to embed memory contents within the response message.
The PoC published on GitHub demonstrates how attackers can decode Base64-encoded response data to extract sensitive information, potentially leaking user authentication tokens or session identifiers. This vulnerability poses a high risk due to its ease of exploitation and potential to bypass authentication.
Exploitation Status and Detection Queries
After the PoC was released, various global threat intelligence communities and honeypot-based threat monitoring networks detected significant scanning traffic targeting this vulnerability. By using Criminal IP Asset Search, NetScaler instances can be identified based on exposed SSL VPN ports.
The following query can be used in Criminal IP to identify exposed NetScaler instances:
Using Criminal IP to detect Citrix Devices Vulnerable to CVE-2025-5777
To exploit the CVE-2025-5777 vulnerability, cyber attackers first identify NetScaler devices exposed on the internet.
With Criminal IP’s Asset Search, devices matching attacker-targeted criteria can be quickly identified.
Criminal IP Search Query: “favicon: -4581a967“
The query uses a favicon filter to search for web servers that utilize a specific favicon. By applying the hash of the hexadecimal favicon from Citrix NetScaler’s default login page, it can uncover Citrix NetScaler instances exposed on the internet worldwide.
To learn how to detect IP addresses and analyze security vulnerabilities using favicon hashes, refer to the blog that covers the favicon filter usage.
The results of using this query to identify Citrix NetScaler instances are shown below.
A search for “favicon: -4581a967” on Criminal IP Asset Search detects about 27,000 results. The highest number of results come from the United States, followed by Australia and Germany.
One of the detected IP addresses reveals 6 open ports and 24 vulnerabilities. Additionally, 3 of the SSL certificates are identified as self-signed.
Furthermore, one of the 24 vulnerabilities is confirmed to have a publicly available PoC on GitHub, requiring immediate action.
FAQ
Q1. Does CVE-2025-5777 affect all NetScaler devices?
No, CVE-2025-5777 impacts only certain versions of the Citrix NetScaler ADC and Gateway products. Specifically, End-of-Life (EOL) versions, such as the 12.1 and 13.0 series, no longer receive security patches, so upgrading to the latest version is essential.
The security patch provided by Citrix applies to the following versions:
- 13.1 series: Version 13.1‑58.32 or later
- 14.1 series: Version 14.1‑43.56 or later
- 12.1-FIPS series: Version 12.1‑55.328 or later
※ Patches are not provided for EOL versions; these must be upgraded to a supported version.
Q2. What other security measures or mitigations are available?
Citrix has released a security patch to mitigate this vulnerability and recommends the following additional security measures:
- Security Patches: Immediately apply the latest security patch provided by Citrix. End-of-life (EOL) versions must be upgraded.
- Admin Interface: Restrict external access to the NetScaler admin page using firewalls or similar protections.
- Session and Password: Reset administrator sessions and update passwords to mitigate potential leaks.
- Log Analysis and Anomaly Detection: Analyze HTTP logs and network traffic for abnormal requests, and enhance monitoring through ASM and SIEM integration.
Conclusion
CVE-2025-5777 is a critical vulnerability that organizations using Citrix NetScaler devices must address. Following the PoC release, large-scale scanning attempts are now a reality—making preemptive checks and proactive responses crucial.
By using Criminal IP Asset Search and ASM, exposed NetScaler assets can be quickly identified. This allows organizations to prevent potential attacks by applying the latest security patches and invalidating sessions.
Source: Criminal IP (https://www.criminalip.io/), GitHub (https://github.com/bughuntar/CVE-2025-5777)
Related article: https://www.criminalip.io/ko/knowledge-hub/blog/25711