## https://sploitus.com/exploit?id=1A52989F-8030-5C71-AC47-2D29A2303CF0
# CitrixBleed2 - CVE-2025-5777 PoC Scanner
This repository contains an advanced Proof of Concept (PoC) scanner for **CVE-2025-5777**, dubbed **CitrixBleed2**, a memory disclosure vulnerability affecting Citrix NetScaler ADC and Gateway.
Developed by **Guilherme Nocera** ([@nocerainfosec](https://twitter.com/nocerainfosec)), this tool is based on research originally published by WatchTowr Labs, with enhancements for deeper information extraction and secure memory leak analysis.
> **Disclaimer**: This tool is provided for **educational and authorized testing** purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal.
---
## ๐ฉธ About the Vulnerability - CVE-2025-5777
**CVE-2025-5777** is a memory disclosure vulnerability in **Citrix NetScaler ADC and Gateway** when configured as a Gateway (VPN virtual server, ICA proxy, CVPN, RDP Proxy).
By sending specially crafted HTTP POST requests to the authentication endpoint, an unauthenticated attacker can trigger memory disclosure โ leaking sensitive data from heap memory.
This issue is a follow-up to the original "CitrixBleed" (CVE-2023-4966), and was disclosed in July 2025.
### Technical Summary:
* **Vulnerable Endpoint:** `/p/u/doAuthentication.do`
* **Attack Vector:** Network (unauthenticated)
* **Impact:** Disclosure of memory content
* **CVSS Score:** 7.5 (High)
* **Disclosure Source:** [WatchTowr Labs](https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/)
The original discovery and in-depth analysis were conducted by the WatchTowr Labs research team. This PoC was inspired by their publication and enhanced for extended detection, evidence logging, and memory analysis by **Guilherme Nocera / Nocera Infosec**.
---
## ๐ Features
* Exploits the CVE-2025-5777 (CitrixBleed2) memory disclosure vulnerability
* Collects leaked memory content via crafted `POST /p/u/doAuthentication.do` requests
* Extracts sensitive data like:
* Session cookies
* Tokens
* Basic Auth headers
* Passwords and JWTs
* Displays and logs TLS certificate metadata (subject, issuer, validity)
* Automatically redacts known branding from specific organizations (e.g., removed specific vendor mentions)
* Saves leaks with a timestamped output file to prevent overwrites
---
## ๐งช Usage
### Single Target
```bash
python3 cve-2025-5777.py -t <target> -r 5 -T 5 -v
```
### List of Targets
```bash
python3 cve-2025-5777.py -l targets.txt -r 3 -T 10
```
### Output File Customization
```bash
python3 cve-2025-5777.py -t <target> -o custom_output.txt
```
If `-o` is not specified, a timestamped file is created automatically (e.g., `citrix_leaks_20250705_154312.txt`).
---
## ๐ง Detection Technique
The tool sends malformed authentication requests to:
```
POST /p/u/doAuthentication.do HTTP/1.0
```
With a short payload and specific `User-Agent` to trigger the memory leak.
It parses the raw response for high entropy data, certificate metadata, and sensitive content (via regex).
---
## ๐ก Legal Notice
* This tool must only be used in **authorized** penetration testing or **controlled environments**.
* All users are solely responsible for ensuring legal and ethical use.
---
## ๐ Credits
* **Original discovery and writeup**: [WatchTowr Labs](https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/)
* **Enhanced PoC author**: Guilherme Nocera ([@nocerainfosec](https://twitter.com/nocerainfosec))
* Based on open-source research and crafted for Brazilian and global security professionals.
---
## ๐ Related
* [CVE Details - CVE-2025-5777](https://nvd.nist.gov/vuln/detail/CVE-2025-5777)
* [Citrix security advisories](https://www.citrix.com/support/security-bulletins.html)
* [WatchTowr Labs Article](https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/)
---
## ๐ License
This repository is released under the MIT License. See `LICENSE` for details.
Stay secure. Test responsibly.