Detection: Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure

Description

This detection identifies potential exploitation attempts of CVE-2025-5777 (CitrixBleed 2), a memory disclosure vulnerability in Citrix NetScaler ADC and Gateway. The vulnerability is triggered by sending POST requests with incomplete form data to the /p/u/doAuthentication.do endpoint, causing the device to leak memory contents including session tokens and authentication materials. This search looks for POST requests to the vulnerable endpoint that may indicate scanning or exploitation attempts.

 1
 2| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where
 3Web.url IN ("*/p/u/doAuthentication.do*")
 4Web.http_method="POST"
 5Web.status=200
 6by Web.http_user_agent, Web.status, Web.http_method,
 7   Web.url, Web.url_length, Web.src, Web.dest, sourcetype
 8
 9| `drop_dm_object_name("Web")`
10
11| `security_content_ctime(firstTime)`
12
13| `security_content_ctime(lastTime)`
14
15| `citrix_adc_and_gateway_citrixbleed_2_memory_disclosure_filter`

Data Source

Name Platform Sourcetype Source
Suricata N/A 'suricata' 'suricata'

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
citrix_adc_and_gateway_citrixbleed_2_memory_disclosure_filter search *
citrix_adc_and_gateway_citrixbleed_2_memory_disclosure_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Risk Event True
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

To implement this search, ensure that web traffic logs from Citrix NetScaler ADC and Gateway devices are being ingested into Splunk and mapped to the Web data model. The logs should include URL paths, HTTP methods, status codes, source and destination IPs, and user agents. Look specifically for POST requests to /p/u/doAuthentication.do endpoint which is the primary attack vector for CVE-2025-5777.

Known False Positives

Legitimate authentication flows will trigger this detection as they access the doAuthentication.do endpoint. However, repeated automated requests, especially from HeadlessChrome user agents or with incomplete form data, should be investigated. Focus on unusual patterns like multiple rapid requests or non-standard user agents.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

Potential CitrixBleed 2 (CVE-2025-5777) exploitation from $src$ to $dest$ detected. POST requests to /p/u/doAuthentication.do may indicate memory disclosure vulnerability exploitation.

Risk Object Risk Object Type Risk Score Threat Objects
dest system 85 src

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset suricata suricata
Integration ✅ Passing Dataset suricata suricata

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 1