Breach report
CitrixBleed 2: a memory leak that handed attackers live session tokens
What happened
In June 2025, Citrix disclosed CVE-2025-5777, quickly nicknamed "CitrixBleed 2" for its resemblance to the 2023 CitrixBleed flaw. It affected Citrix NetScaler ADC and Gateway appliances — the remote-access gateways that sit at the edge of corporate networks. An unauthenticated attacker could read portions of device memory they should never see and pull out valid session tokens, then replay those tokens to impersonate logged-in users and slip past multi-factor authentication.
Citrix released patches on June 17, 2025. Exploitation warnings followed on June 27, public proof-of-concept exploits appeared around July 7, and on July 10 CISA added the flaw to its Known Exploited Vulnerabilities catalog. The following day CISA confirmed active exploitation and set an unusually short one-day patching deadline for federal agencies. Fixed builds included 14.1-43.56, 13.1-58.32, and the corresponding FIPS releases.
Root cause
The vulnerability was an out-of-bounds read (CWE-125): the appliance returned more memory than the request warranted, and that over-read region contained sensitive session material. Because the leaked tokens authenticated users directly, the impact was an authentication failure — stolen tokens defeated both passwords and MFA, since the attacker never touched the login flow at all.
How it would have been caught
Memory-safety fuzzing of the request parser would surface the over-read by feeding malformed length fields and observing that the response contains adjacent memory. A reproduction sends the crafted request repeatedly and confirms the response body leaks token-shaped data; a downstream check replays a captured token and confirms it grants an authenticated session.
How to prevent it
- Patch internet-facing VPN and gateway appliances immediately when a CVE lands; edge devices are weaponized within days.
- Rotate and invalidate all active sessions after patching, since tokens leaked before the fix remain valid until they expire.
- Bind sessions to additional signals (client fingerprint, source characteristics) so a replayed token from a new context is rejected.
- Monitor for concurrent sessions and impossible-travel logins as a detection backstop for token theft.
The Breachwire test (red → green)
Fire the crafted request at the unpatched appliance and confirm the response leaks session-token bytes from memory that can be replayed to gain an authenticated session — the RED control. Apply the fixed build, replay the identical request, and confirm the response no longer contains out-of-bounds memory, while legitimate sessions continue to authenticate normally.