Breachwire.riscent

Breach report

CitrixBleed 2: a memory leak that handed attackers live session tokens

Web Application BreachesCriticalCVE-2025-57772025-06
The bottom lineAn out-of-bounds memory read in Citrix NetScaler ADC and Gateway let unauthenticated attackers extract session tokens from device memory, hijacking authenticated sessions and bypassing multi-factor authentication.
Category
Web Application Breaches
Type
CVE · Session-token leak / MFA bypass
Date
2025-06
Severity
Critical
OWASP
Web A07 Authentication Failures
CWE / CVE
CWE-125 CVE-2025-5777

What happened

In June 2025, Citrix disclosed CVE-2025-5777, quickly nicknamed "CitrixBleed 2" for its resemblance to the 2023 CitrixBleed flaw. It affected Citrix NetScaler ADC and Gateway appliances — the remote-access gateways that sit at the edge of corporate networks. An unauthenticated attacker could read portions of device memory they should never see and pull out valid session tokens, then replay those tokens to impersonate logged-in users and slip past multi-factor authentication.

Citrix released patches on June 17, 2025. Exploitation warnings followed on June 27, public proof-of-concept exploits appeared around July 7, and on July 10 CISA added the flaw to its Known Exploited Vulnerabilities catalog. The following day CISA confirmed active exploitation and set an unusually short one-day patching deadline for federal agencies. Fixed builds included 14.1-43.56, 13.1-58.32, and the corresponding FIPS releases.

Root cause

The vulnerability was an out-of-bounds read (CWE-125): the appliance returned more memory than the request warranted, and that over-read region contained sensitive session material. Because the leaked tokens authenticated users directly, the impact was an authentication failure — stolen tokens defeated both passwords and MFA, since the attacker never touched the login flow at all.

How it would have been caught

Memory-safety fuzzing of the request parser would surface the over-read by feeding malformed length fields and observing that the response contains adjacent memory. A reproduction sends the crafted request repeatedly and confirms the response body leaks token-shaped data; a downstream check replays a captured token and confirms it grants an authenticated session.

How to prevent it

  • Patch internet-facing VPN and gateway appliances immediately when a CVE lands; edge devices are weaponized within days.
  • Rotate and invalidate all active sessions after patching, since tokens leaked before the fix remain valid until they expire.
  • Bind sessions to additional signals (client fingerprint, source characteristics) so a replayed token from a new context is rejected.
  • Monitor for concurrent sessions and impossible-travel logins as a detection backstop for token theft.

The Breachwire test (red → green)

Fire the crafted request at the unpatched appliance and confirm the response leaks session-token bytes from memory that can be replayed to gain an authenticated session — the RED control. Apply the fixed build, replay the identical request, and confirm the response no longer contains out-of-bounds memory, while legitimate sessions continue to authenticate normally.