Citrix has disclosed a new critical vulnerability (CVSS 9.3) affecting NetScaler ADC and Gateway appliances. Much like 2023’s CitrixBleed (CVE-2023-4966), this is a memory disclosure bug that leaks sensitive contents of system memory to unauthenticated attackers, and carries the same high-impact consequences for exposed infrastructure.

The bug: Unauthenticated memory leaks through malformed POSTs

CVE-2025-5777 is a vulnerability in how the /doAuthentication.do endpoint handles malformed HTTP POST requests. If a request is submitted without a properly formatted body — for example, missing the expected key=value structure — the server may return uninitialized memory as part of the XML response. These leaked bytes often appear inside the <InitialValue> tag and can include sensitive data such as usernames, session tokens, and internal memory structures. This is due to a buffer which ends up uninitialized in the memory.

The vulnerability requires no authentication and can be exploited with a single HTTP request. In practice, attackers can loop this request to extract additional memory fragments over time. Security researchers have confirmed that this behavior can be used to harvest live session tokens and bypass login screens, even when multi-factor authentication is enabled.

Which systems are at risk?

Only appliances actively configured as a Gateway (used for VPN, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server are impacted. Systems that aren’t acting as a Gateway or AAA server are not vulnerable.

The following versions are affected:

• NetScaler ADC / Gateway 14.1 - Before 14.1-43.56
• NetScaler ADC / Gateway 13.1 - Before 13.1-58.32
• NetScaler ADC 13.1-FIPS / NDcPP - Before 13.1-37.235
• NetScaler ADC 12.1-FIPS - Before 12.1-55.328

Exploitation: Simple, scalable, and already public

Although Citrix reported no evidence of exploitation in the wild at the time of disclosure, proof-of-concept code was published within 24 hours. The exploit is minimal and requires no advanced techniques — just a malformed POST request to an exposed Gateway endpoint. As with CitrixBleed, attackers can script repeated requests to leak memory incrementally, potentially reconstructing entire sessions from memory fragments.

Because Gateways are often exposed to the public internet for remote access, this vulnerability is easy to scan for and target. There’s no rate-limiting or CAPTCHA in place to prevent automated abuse, making it feasible to exploit this at scale against a wide set of targets.

What’s actually leaking?

Each malformed request leaks a small slice of process memory, which may contain:

• Valid authentication/session tokens
• Usernames and partial credentials
• Internal XML configuration values
• Memory contents from unrelated requests

In multiple demo cases, researchers were able to extract live session tokens and use them to access Citrix-hosted applications without credentials or MFA. The risk is not theoretical — it's practical and immediate.

Detection: How to know if you've been targeted

Organizations can detect signs of exploitation by reviewing access logs and analyzing unusual requests to the /doAuthentication.do endpoint. Indicators include malformed POST bodies (e.g., requests with just login and no = or value) and suspicious XML responses containing binary or corrupted <InitialValue> data.

Several security researchers have released detection rules, including Sigma signatures, that can help identify both attempted and successful exploitation. However, because the leaked memory is returned in a legitimate HTTP 200 response, some logging systems may not flag it as anomalous by default.

Hadrian proactively scanned its customers using our Offensive Security Platform to identify exploitable vulnerabilities and provide assistance where necessary to secure their systems.

Response: What defenders should do now

If you're running a vulnerable version of Citrix Gateway, patch immediately using the updated builds released on June 17, 2025. But patching alone may not be enough. If your Gateway was exposed prior to patching, it's possible session tokens or credentials were already compromised. We recommend following the following steps:

1. Patch immediately

Apply the latest Citrix updates listed above. Patches were released on June 17, 2025.

2. Terminate active sessions

If exploitation is suspected — or you were running a vulnerable build — revoke all active sessions post-patch:

kill icaconnection -all
kill pcoipConnection -all

3. Review logs and sessions

Look for signs of exploitation. If session tokens may have been exposed, rotate credentials and reset MFA.

4. Reduce exposure where possible

If Citrix Gateway is exposed to the internet but not actively in use, restrict access or disable the service.

Why this matters

CVE-2025-5777 isn’t an advanced memory corruption bug — it’s a simple logic flaw with serious consequences. Much like CitrixBleed, it underscores how minor parser oversights in exposed infrastructure can create breach-sized windows of opportunity.

This vulnerability is trivial to exploit, difficult to detect retroactively, and potentially devastating for organizations that rely on Citrix Gateway for remote access. If your device was exposed and unpatched, it’s safest to assume that session tokens may have been harvested.

Once again, a single malformed HTTP request is enough to walk right past your login screen.