ID | Technique | Tactic |
---|---|---|
T1190 | Exploit Public-Facing Application | Initial Access |
Detection: Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
Description
This detection identifies potential exploitation attempts of CVE-2025-5777 (CitrixBleed 2), a memory disclosure vulnerability in Citrix NetScaler ADC and Gateway. The vulnerability is triggered by sending POST requests with incomplete form data to the /p/u/doAuthentication.do endpoint, causing the device to leak memory contents including session tokens and authentication materials. This search looks for POST requests to the vulnerable endpoint that may indicate scanning or exploitation attempts.
Search
1
2| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where
3Web.url IN ("*/p/u/doAuthentication.do*")
4Web.http_method="POST"
5Web.status=200
6by Web.http_user_agent, Web.status, Web.http_method,
7 Web.url, Web.url_length, Web.src, Web.dest, sourcetype
8
9| `drop_dm_object_name("Web")`
10
11| `security_content_ctime(firstTime)`
12
13| `security_content_ctime(lastTime)`
14
15| `citrix_adc_and_gateway_citrixbleed_2_memory_disclosure_filter`
Data Source
Name | Platform | Sourcetype | Source |
---|---|---|---|
Suricata | N/A | 'suricata' |
'suricata' |
Macros Used
Name | Value |
---|---|
security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
citrix_adc_and_gateway_citrixbleed_2_memory_disclosure_filter | search * |
citrix_adc_and_gateway_citrixbleed_2_memory_disclosure_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Risk Event | True |
Implementation
To implement this search, ensure that web traffic logs from Citrix NetScaler ADC and Gateway devices are being ingested into Splunk and mapped to the Web data model. The logs should include URL paths, HTTP methods, status codes, source and destination IPs, and user agents. Look specifically for POST requests to /p/u/doAuthentication.do endpoint which is the primary attack vector for CVE-2025-5777.
Known False Positives
Legitimate authentication flows will trigger this detection as they access the doAuthentication.do endpoint. However, repeated automated requests, especially from HeadlessChrome user agents or with incomplete form data, should be investigated. Focus on unusual patterns like multiple rapid requests or non-standard user agents.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
Potential CitrixBleed 2 (CVE-2025-5777) exploitation from $src$ to $dest$ detected. POST requests to /p/u/doAuthentication.do may indicate memory disclosure vulnerability exploitation.
Risk Object | Risk Object Type | Risk Score | Threat Objects |
---|---|---|---|
dest | system | 85 | src |
References
-
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
-
https://github.com/mingshenhk/CitrixBleed-2-CVE-2025-5777-PoC-
-
https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/
-
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-5777.yaml
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | suricata |
suricata |
Integration | ✅ Passing | Dataset | suricata |
suricata |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1