Warning
This script is intended for educational and research purposes only. Do not use it against systems without explicit permission. Unauthorized access or testing is illegal and unethical. Read the full DISCLAIMER before using this script.
This project demonstrates a memory leak vulnerability (CVE-2025-5777) found in Citrix NetScaler appliances. The vulnerability results from improper handling of uninitialized memory when parsing malformed POST data, particularly the login parameter. It's widely known as CitrixBleed 2 because of its strong resemblance to the infamous CVE-2023-4966 (original CitrixBleed) which was heavily exploited in 2023
When the login field is included without an equal sign or value, a portion of uninitialized stack memory is returned inside the <InitialValue> tag in the XML response.
Data Leaked: Each HTTP request can leak approximately 127 bytes of RAM content. By repeating these requests, attackers can collect sensitive data from memory, which may include:
- Session tokens (allowing session hijacking and bypassing MFA).
- Authentication data.
- Portions of previous HTTP requests.
- Plaintext credentials.
- Other sensitive information.
pip3 install aiohttp coloramapython3 exploit.py <URL> [options]Basic usage:
Verbose with proxy:
Help -h:
This Python script:
- Send repeated malformed POST requests.
- Parse XML responses.
- Extract leaked memory from
<InitialValue>fields. - Display it in a hex-dump format like the
xxdtool. - Support optional proxying, threading and verbose output for analysis.
- Session Hijacking: The primary concern is the theft of session tokens, which allows attackers to hijack active user sessions and gain unauthorized access to critical systems, even if multi-factor authentication (MFA) is enabled.
- Bypassing Authentication: Stolen session tokens or credentials can be used to completely bypass the authentication process.
- Data Disclosure: Sensitive information residing in memory can be exposed.
- Update to the latest secure firmware immediately.
- Monitor for abnormal POST request patterns.
- watchTowr Blog Post - Original analysis