Is It CitrixBleed4? Well, No. Is It Good? Also, No. (Citrix NetScaler Memory Leak & RXSS CVE-2025-12101)

This title could be clearer and more informative.Try out Clickbait Shieldfor free (5 uses left this month).

WatchTowr Labs researchers discovered two vulnerabilities in Citrix NetScaler while investigating CitrixBleed2 (CVE-2025-5777). The first (WT-2025-0089) is a memory leak triggered by a specific AAA misconfiguration — creating an AAA virtual server without enabling the feature via CLI — causing the root page to leak memory. Citrix declined to assign a CVE, agreeing the configuration is unrealistic in production. The second (WT-2025-0090, CVE-2025-12101) is a Reflected XSS via the SAML RelayState parameter on the /cgi/logout endpoint, exploitable via CSRF with a crafted SAMLResponse. The post raises broader concerns about Citrix NetScaler's fragile memory management, noting a recurring pattern of memory disclosure vulnerabilities across multiple CVEs.

#vulnerability

Mar 31•7m read time•From labs.watchtowr.com

Table of contents

CitrixBleed2 WT-2025-0089 - The Memory Leak, Explain How Do We Feel About This?WT-2025-0090 - SAML RelayState Reflected XSS Timeline Gain early access to our research, and understand your exposure, with the watchTowr Platform

Comment

Bookmark

Copy

Sort: