Editorial coverage · CVE-2025-5777
The patch closes the leak going forward. The credential disclosure already happened. Citrix's own remediation guidance does not invalidate the cookies the bug leaked.
An uninitialized-variable read on the `/p/u/doAuthentication.do` endpoint that returns approximately 127 bytes of unallocated stack memory per malformed POST. The leaked bytes carry active session tokens, `nsroot` administrator tokens, and in some samples plaintext credentials. CVSS 9.3 under v4. Pre-auth, no user interaction, MFA-bypassing by construction — the attacker never authenticates, the harvested tokens belong to processes that already did. CISA listed the bug on July 10, 2025 with a July 11 federal due date after Imperva counted 11.5 million attack attempts and Censys counted 69,000 exposed instances. The vendor's post-patch remediation guidance tells operators to run `kill icaconnection -all` and `kill pcoipConnection -all`. Horizon3.ai verified that those commands do not invalidate the `NSC_AAAC` authentication cookies the bug actually leaks. Mandiant published this same gap against CitrixBleed 1 in 2023. The audit form has no column for 'operator followed third-party guidance the vendor advisory omitted.'
What we say
Most patch records close the row when the version number on the appliance changes. The change record names the fix version, the SI-2 narrative names the change record, the QSA reads the narrative, the audit form rolls up. The model assumes that fixing the binary closes the exposure. For most bugs the model is approximately right. Credential-disclosure bugs break the model in a specific way: the binary patch closes the leak going forward, and the credentials that already leaked do not stop being valid because the leak stopped. The patched session and the leaked session both authenticate against the same cookie store, and the cookie store does not know which session is which.
Citrix Security Bulletin CTX693420 lists the fix versions per branch
and names two post-patch commands: kill icaconnection -all and
kill pcoipConnection -all. Horizon3.ai’s reverse-engineering writeup
verified what the operator community already suspected by late June:
those two commands do not invalidate the NSC_AAAC authentication
cookies the bug actually returns in the leaked memory. The vendor
advisory’s remediation list stops one command short of the remediation
the bug requires. The complete remediation runbook exists — Mandiant
published it on November 14, 2023 against the original CitrixBleed
(CVE-2023-4966) — and the operator community has circulated it for two
years. CTX693420 does not reference the 2023 Mandiant guidance. The
advisory reads complete; the advisory is partial.
The structural problem is not that vendor advisories are sometimes
incomplete. It is that audit infrastructure reads the vendor advisory
as the authoritative remediation specification. PCI Requirement 6.3.3
writes a one-month patch clock against the advisory date and a binary
patched/unpatched cell against the change record. The cell does not
have a sub-field for “operator went beyond the vendor’s instructions.”
The FedRAMP SI-2 narrative writes against the version-number change.
The version number is the same whether the operator rotated the
NSC_AAAC cookies, rebooted the appliance, killed the AAA sessions,
and rotated the SAML or OIDC tokens against the downstream IdP, or
just applied the patch and called it done. The two operators read
identical on the audit form. They do not read identical to the
adversary holding a stolen token.
The two-year recurrence is the thing the editorial corpus keeps arriving at. CitrixBleed 1 in 2023 had the same gap. Mandiant documented it. Cloud Software Group signed CISA’s Secure by Design pledge in 2024. Citrix shipped CitrixBleed 2 in 2025 with the same incomplete post-patch instructions, against approximately the same endpoint class, in approximately the same binary. The vendor advisory field that says “remediation steps” carries the same shape and the same omission. The change-record field on the operator side carries the same shape and the same closure. What changed is the count of exposed session tokens that the operator is now responsible for invalidating, and the audit infrastructure does not have a column for that count. It has a column for the version number on the appliance, and the version number is in compliance.
The narrow operational instruction is short: patch to the per-branch
fix version, and then do the steps the vendor advisory does not list
— full appliance reboot to force session teardown, NSC_AAAC cookie
invalidation, downstream IdP token rotation against every service the
NetScaler fronted, and incident-response treatment for any session
active during the exposure window (mid-June 2025 onward, earlier if
your telemetry can confirm it). The wider observation is what the
audit form does with the gap between the published advisory and the
complete remediation. The form reads the advisory and writes a
binary cell. The complete remediation lives outside the cell. The
operator who closes the cell and stops there is the audience the next
ransomware campaign is for.
What NVD says
CWE-457 (use of uninitialized variable) plus CWE-125 (out-of-bounds read). NVD CVSS 4.0 base 9.3, vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N. The 4.0 score reads honest against the bug as a primitive: a malformed POST containing a `login` key with no value returns roughly 127 bytes of uninitialized memory per request, the request is unauthenticated, the impact is high-confidentiality with no integrity or availability change. CVSS 3.1 scores the same primitive at 7.5, which is the score most vulnerability-management tooling renders. What both rows fail to encode is the operational-state property that distinguishes credential-disclosure bugs from generic memory leaks. Once the leaked bytes contain a valid session token, the disclosure is irreversible at the protocol layer — the token validates whether the operator has patched the binary or not. CVSS treats the bug as a property of the binary; the credential is a property of an active session, and the active session outlives the patch. The score row contains the binary-state half of the problem and the session-state half is in neither column.
What the vendor says
Citrix Security Bulletin CTX693420 names the bug, names the fix versions per branch (14.1-47.46, 13.1-59.19, 13.1-37.236-FIPS, 12.1-55.328-FIPS), and names two post-patch commands: `kill icaconnection -all` and `kill pcoipConnection -all`. The advisory does not name `kill aaa session -all`, does not name appliance reboot, does not name `NSC_AAAC` cookie invalidation, does not name SAML/OIDC token rotation against any IdP downstream of the appliance. Horizon3.ai's reverse-engineering writeup verified that the two commands the advisory does name leave `NSC_AAAC` cookies valid. Mandiant published the same incomplete-remediation gap against the original CitrixBleed (CVE-2023-4966) on November 14, 2023, with a step-by-step session-invalidation runbook the operator community widely circulated at the time. The 2025 advisory does not reference the 2023 Mandiant guidance. The vendor advisory is the document audit infrastructure reads as the authoritative remediation specification. The authoritative remediation specification is incomplete by approximately the same gap, applied to approximately the same bug class, two years and one product generation later.
Compliance impact
- PCI DSS
- Requirement 6.3.3 writes a one-month patch clock against the advisory date (June 17, 2025 for CTX693420). The change record that names a fix-version upgrade within the window closes the row as a binary patched/unpatched cell. The cell does not encode whether the operator followed the partial vendor remediation or the complete Mandiant remediation. The same row passes the QSA's review whether the post-patch session rotation happened or did not happen, because the audit form's 'remediation' column reads the vendor advisory and the vendor advisory stopped short of the session-invalidation step. Requirement 8.3.5 (multi-factor authentication for non-console administrative access into the CDE) sits adjacent: the bug bypasses MFA by construction because the attacker never authenticates, and a `NSC_AAAC` cookie that survives the patch carries a session that already passed the MFA check. The 8.3.5 control narrative cannot read 'MFA enforced' against an authenticated session that the bug enabled to be hijacked, but the audit form has no field for 'MFA was enforced and the session was hijacked anyway.' The CDE-scoping decision under Requirement 1 reads the appliance as in-scope when it brokers CDE access; the credential leak that already happened is in neither row.
- FEDRAMP
- BOD 22-01 wrote a July 11, 2025 federal due date — one day after the July 10 KEV listing, which itself trailed the Imperva-measured exploitation onset by approximately three weeks. The SI-2 narrative against the listing closes against the fix-version change record: 'patched to 14.1-47.46 within the BOD window.' The narrative reads identical against an FCEB operator who applied the patch alone and against an FCEB operator who applied the patch plus the full Mandiant 2023 session-rotation runbook plus a downstream IdP token rotation against any SAML or OIDC service the NetScaler fronted. The 800-53 SI-7(8) control on software integrity and the 800-53 IA-5 control on authenticator management both have language that reads against credential-leak handling, but neither control's audit narrative has a column for 'the credential was leaked before the patch and the patch did not retract it.' The continuous-monitoring framework writes against the artifact the change record produces; the artifact is the version number on the appliance. The version number does not encode the session state.
Sources
- NVD — CVE-2025-5777
- Citrix Security Bulletin CTX693420
- Horizon3.ai — CitrixBleed 2 Technical Analysis
- watchTowr Labs — How Much More Must We Bleed?
- Mandiant — CitrixBleed (CVE-2023-4966) Remediation Guidance
- CISA Known Exploited Vulnerabilities Catalog
Every source on this list has been read by the editorial team. We do not cite something we have not opened.
Deeper read
Coverage in PatchDay Alert
One email, every weekday morning.
You're in. Check your inbox.