Citrix NetScaler ADC and Gateway Memory Disclosure Vulnerability
漏洞信息
漏洞名称: Citrix NetScaler ADC and Gateway Memory Disclosure Vulnerability
漏洞编号:
- CVE: CVE-2025-5777
漏洞类型: 信息泄露
漏洞等级: 高危
漏洞描述: CVE-2025-5777,也被称为CitrixBleed2,是影响Citrix NetScaler ADC和Gateway的内存泄露漏洞。该漏洞存在于当这些产品被配置为网关(VPN虚拟服务器、ICA代理、CVPN、RDP代理)时。通过向认证端点发送特制的HTTP POST请求,未经认证的攻击者可以触发内存泄露,从而泄露堆内存中的敏感数据。此漏洞是原始“CitrixBleed”(CVE-2023-4966)的后续,于2025年7月披露。
受影响产品:Citrix NetScaler ADC和Gateway是广泛使用的企业级网络设备,用于提供应用交付和安全的远程访问解决方案。这些设备在全球范围内被部署,特别是在需要高性能和安全性的大型组织中。
漏洞解释:此漏洞属于信息泄露类型,技术根源在于处理特制HTTP POST请求时的内存管理不当。攻击者可以通过网络(无需认证)利用此漏洞,通过发送特制的请求到/p/u/doAuthentication.do端点,触发内存泄露,泄露包括会话cookie、令牌、基本认证头、密码和JWT等敏感信息。
影响分析:此漏洞的高危性在于它允许未经认证的攻击者远程泄露敏感信息,可能导致进一步的攻击,如会话劫持、身份伪造等。由于泄露的信息可能包括认证凭证,攻击者可以利用这些信息获得未授权访问,进而对受影响系统进行更深入的攻击。此外,由于漏洞可以被远程利用且无需用户交互,其潜在的安全风险非常高。
产品厂商: Citrix
产品名称: Citrix NetScaler ADC and Gateway
来源: https://github.com/nocerainfosec/cve-2025-5777
类型: CVE-2025:github search
仓库文件
- README.md
来源概述
CitrixBleed2 - CVE-2025-5777 PoC Scanner
This repository contains an advanced Proof of Concept (PoC) scanner for CVE-2025-5777, dubbed CitrixBleed2, a memory disclosure vulnerability affecting Citrix NetScaler ADC and Gateway.
Developed by Guilherme Nocera (@nocerainfosec), this tool is based on research originally published by WatchTowr Labs, with enhancements for deeper information extraction and secure memory leak analysis.
Disclaimer: This tool is provided for educational and authorized testing purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal.
🩸 About the Vulnerability - CVE-2025-5777
CVE-2025-5777 is a memory disclosure vulnerability in Citrix NetScaler ADC and Gateway when configured as a Gateway (VPN virtual server, ICA proxy, CVPN, RDP Proxy).
By sending specially crafted HTTP POST requests to the authentication endpoint, an unauthenticated attacker can trigger memory disclosure — leaking sensitive data from heap memory.
This issue is a follow-up to the original “CitrixBleed” (CVE-2023-4966), and was disclosed in July 2025.
Technical Summary:
- Vulnerable Endpoint:
/p/u/doAuthentication.do - Attack Vector: Network (unauthenticated)
- Impact: Disclosure of memory content
- CVSS Score: 7.5 (High)
- Disclosure Source: WatchTowr Labs
The original discovery and in-depth analysis were conducted by the WatchTowr Labs research team. This PoC was inspired by their publication and enhanced for extended detection, evidence logging, and memory analysis by Guilherme Nocera / Nocera Infosec.
🚀 Features
Exploits the CVE-2025-5777 (CitrixBleed2) memory disclosure vulnerability
Collects leaked memory content via crafted
POST /p/u/doAuthentication.dorequestsExtracts sensitive data like:
- Session cookies
- Tokens
- Basic Auth headers
- Passwords and JWTs
Displays and logs TLS certificate metadata (subject, issuer, validity)
Automatically redacts known branding from specific organizations (e.g., removed specific vendor mentions)
Saves leaks with a timestamped output file to prevent overwrites
🧪 Usage
Single Target
1 | |
List of Targets
1 | |
Output File Customization
1 | |
If -o is not specified, a timestamped file is created automatically (e.g., citrix_leaks_20250705_154312.txt).
🧠 Detection Technique
The tool sends malformed authentication requests to:
1 | |
With a short payload and specific User-Agent to trigger the memory leak.
It parses the raw response for high entropy data, certificate metadata, and sensitive content (via regex).
🛡 Legal Notice
- This tool must only be used in authorized penetration testing or controlled environments.
- All users are solely responsible for ensuring legal and ethical use.
🙏 Credits
- Original discovery and writeup: WatchTowr Labs
- Enhanced PoC author: Guilherme Nocera (@nocerainfosec)
- Based on open-source research and crafted for Brazilian and global security professionals.
📎 Related
📜 License
This repository is released under the MIT License. See LICENSE for details.
Stay secure. Test responsibly.