CVE-2025-5777 CitrixBleed 2 Write-Up… Maybe?

Technical Details

We’ll skimp on a bunch of internal background information for NetScaler for the sake of brevity, but if you’re interested in reading further, here are a few good write-ups to get you started:

• Bishop Fox’s initial write-up on CVE-2023-4966
• Assetnote’s blog series on CVE-2023-3519
• Assetnote’s additional weaponization of CVE-2023-4966

Long story short, after digging through patch diffs of the nsppe binary (NetScaler Packet Parsing Engine – the module responsible for handling the NetScalar Gateway features, AAA authentication mechanisms, and other such functionality), we stumbled upon some new cleanup sections that zero out buffers and memory regions related to HTTP request data prior to reusing them again – things such as request header length, request body length, and other HTTP request attributes.

This is where we’d normally show a screenshot or snippet of code to illustrate these changes… but given the slight differences among nsppe versions and the sheer size of the binary, we’re opting to demonstrate these changes with a targeted example further downstream in the code flow.

To read the complete article see:
https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/