CitrixBleed 2: Electric Boogaloo — CVE-2025–5777

CitrixBleed 2: Electric Boogaloo — CVE-2025–5777

Remember CitrixBleed, the vulnerability where a simple HTTP request would dump memory, revealing session tokens? CVE-2023–4966

It’s back like Kanye West returning to Twitter about two years later, this time as CVE-2025–5777.

You may have missed it, as the original CVE on 17th June 2025 referred to the “Netscaler Management Interface”, which you shouldn’t expose to the internet.

However, last night the CVE was updated to remove the Management Interface from the description:

The vulnerability allows an attacker to read memory from the Netscaler when configured as a Gateway or AAA virtual server — think remote access via Citrix, RDP etc. It’s an extremely common setup in large organisations.

Example Shodan search: http.favicon.hash:-1292923998,-1166125415

The memory may include sensitive information. Session tokens can be replayed to steal Citrix sessions, bypassing MFA. That was the problem with CitrixBleed.

The vulnerability is exploitable remotely and without authentication.

Citrix also say:

Additionally, we recommend running the following commands to terminate all active ICA and PCoIP sessions after all NetScaler appliances in the HA pair or cluster have been upgraded to the fixed builds.:

kill icaconnection -all

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.