Is It CitrixBleed4? Well, No. Is It Good? Also, No. (Citrix NetScaler Memory Leak & RXSS CVE-2025-12101)
Estimated reading time: 7 minutes
Key Takeaways:
- A memory leak and a reflected XSS vulnerability (CVE-2025-12101) were discovered in Citrix NetScaler appliances.
- The memory leak, while not deemed a significant real-world threat, raises concerns about memory management fragility.
- The reflected XSS vulnerability can be exploited via CSRF by injecting a malicious payload into the
RelayStateparameter. - Organizations should implement configuration audits, input validation, and CSRF protection.
- PurpleOps services can help organizations address these vulnerabilities and improve their overall security posture.
Table of Contents
- CitrixBleed2
- WT-2025-0089 – The Memory Leak, Explain
- How Do We Feel About This?
- WT-2025-0090 – SAML RelayState Reflected XSS
- Timeline
- Practical Takeaways
- How This Relates to PurpleOps Services
- FAQ
CitrixBleed2
The world of vulnerability research often involves a delicate balance between understanding and exploiting system weaknesses. Sometimes, vulnerabilities are uncovered through meticulous analysis; other times, they are stumbled upon almost by accident. This blog post delves into a recent discovery by watchTowr Labs regarding Citrix NetScaler appliances, focusing on a memory leak and a reflected cross-site scripting (RXSS) vulnerability identified as CVE-2025-12101. While the memory leak was deemed not a significant real-world concern, the RXSS vulnerability has been assigned a CVE and warrants attention.
In August 2025, watchTowr Labs triggered a rapid-response event for their client base related to CitrixBleed2 (CVE-2025-5777), a memory leak vulnerability affecting Citrix NetScaler appliances. This vulnerability, like its predecessor CitrixBleed, allowed for the disclosure of memory contents pre-authentication, reportedly playing a role in ransomware attacks by exposing SSLVPN session IDs. During the analysis of CitrixBleed2, watchTowr Labs uncovered two additional vulnerabilities: a memory leak (WT-2025-0089) and a reflected XSS vulnerability (WT-2025-0090), the latter being assigned CVE-2025-12101.
It’s important to note that the memory leak (WT-2025-0089) is not another CitrixBleed. However, the fact that misconfiguration could trigger memory disclosure raises concerns about the design and architecture of these appliances.
WT-2025-0089 – The Memory Leak, Explain
During the analysis of CitrixBleed2, the researchers were configuring AAA (Authentication, Authorization, and Auditing) on a Citrix NetScaler device. The AAA feature controls who can log in, what they can access, and what they do once inside the system. While configuring AAA, a misconfiguration led to the appliance leaking memory. Specifically, creating a new AAA virtual server via the web interface without enabling the feature via the command-line interface (CLI) resulted in the root page of the web interface leaking memory. Browsing to / on the affected device would return an error message along with leaked memory content.
Citrix has decided not to assign a CVE to this vulnerability, since it is not a realistic vulnerability and any exposure existing in any Internet-exposed environment is wildly improbable. However, the broader trend of memory management fragility within Citrix NetScaler appliances is concerning.
How Do We Feel About This?
While the specific memory leak may not be a widespread threat, the fact that a simple misconfiguration can lead to memory disclosure is concerning. It raises questions about the overall security posture of Citrix NetScaler appliances, particularly regarding memory management. The incident highlights a potential fragility in the system’s architecture, where unintentional misconfigurations can expose sensitive data. This situation underscores the importance of secure configuration practices and thorough testing to prevent unintended vulnerabilities.
WT-2025-0090 – SAML RelayState Reflected XSS
In addition to the memory leak, watchTowr Labs identified a reflected XSS vulnerability (CVE-2025-12101) within the single sign-on (SSO) flows of Citrix NetScaler, specifically in the usage of the RelayState parameter. The vulnerability can be triggered via a crafted HTTP POST request to the /cgi/logout endpoint. This endpoint accepts a SAMLResponse and a RelayState parameter. By injecting a malicious payload into the RelayState parameter (specifically, a base64 encoded SVG payload), an attacker can execute arbitrary JavaScript code in the context of the user’s browser.
The attack flow involves crafting a SAMLResponse with a modified RelayState parameter containing the malicious payload. While this may not appear immediately usable, it can be exploited via cross-site request forgery (CSRF) since the NetScaler’s /cgi/logout endpoint accepts HTTP POST requests with a valid SAMLResponse and a modified RelayState.
Timeline
- August 27th, 2025: watchTowr discloses WT-2025-0089 to Cloud Software Group PSIRT.
- August 28th, 2025: watchTowr discloses WT-2025-0090 to Cloud Software Group PSIRT.
- September 2nd, 2025: Cloud Software Group PSIRT acknowledges the report.
- October 24th, 2025: Cloud Software Group PSIRT confirms WT-2025-0089 is not a realistic vulnerability and will not be assigned a CVE.
- November 5th, 2025: Cloud Software Group PSIRT confirms the fix for WT-2025-0090 is scheduled to be published.
- November 11th, 2025: CVE-2025-12101 assigned to WT-2025-0090.
- November 11th, 2025: CVE-2025-12101 published.
- November 12th, 2025: watchTowr publishes research.
Practical Takeaways
For technical readers:
- Configuration Audits: Regularly audit configurations of Citrix NetScaler appliances, especially AAA configurations, to ensure no unintentional memory leaks are present.
- Input Validation: Implement strict input validation on all user-supplied input, including parameters like
RelayStatein SAML flows, to prevent XSS attacks. - CSRF Protection: Implement CSRF protection mechanisms, such as anti-CSRF tokens, to prevent unauthorized requests to sensitive endpoints like
/cgi/logout. - Patch Management: Ensure timely patching of Citrix NetScaler appliances to address known vulnerabilities, including CVE-2025-12101.
- real-time ransomware intelligence: Keep up-to-date and check your systems against real-time ransomware intelligence to stay ahead of threats and protect your systems.
For non-technical readers (business leaders):
- Security Awareness Training: Ensure your IT staff is adequately trained on secure configuration practices for Citrix NetScaler appliances.
- Risk Assessment: Conduct regular risk assessments to identify potential vulnerabilities in your Citrix NetScaler deployment.
- Incident Response Plan: Develop and maintain an incident response plan to address potential security incidents, including those related to Citrix NetScaler vulnerabilities.
- Third-Party Security Audits: Engage third-party cybersecurity experts to conduct regular security audits of your Citrix NetScaler environment.
- supply-chain risk monitoring: Consider implementing a supply-chain risk monitoring program to assess the security posture of your vendors, including Citrix.
How This Relates to PurpleOps Services
PurpleOps offers a range of services that can help organizations address vulnerabilities like CVE-2025-12101 and improve their overall security posture. These services include:
- Cyber Threat Intelligence: PurpleOps’ cyber threat intelligence platform can provide real-time information about emerging threats and vulnerabilities, including those targeting Citrix NetScaler appliances. This information can help organizations proactively identify and mitigate potential risks.
- Breach Detection: PurpleOps’ breach detection services can help organizations identify and respond to security incidents, including those resulting from the exploitation of Citrix NetScaler vulnerabilities.
- Penetration Testing: PurpleOps’ services can help organizations identify vulnerabilities in their Citrix NetScaler environment and assess the effectiveness of their security controls. This can identify areas of weakness such as improper input validation.
- Red Team Operations: PurpleOps’ red team operations can simulate real-world attacks to test an organization’s security defenses, including those related to Citrix NetScaler appliances.
- Dark Web Monitoring: Our dark web monitoring service can detect compromised credentials or leaked information related to your organization.
- Underground Forum Intelligence: Monitor underground forums for discussions of exploits or vulnerabilities targeting your systems.
- Brand Leak Alerting: Receive alerts when your brand is mentioned in connection with security incidents.
The discovery of CVE-2025-12101 and the related memory leak underscore the importance of continuous monitoring, proactive threat intelligence, and robust security practices for Citrix NetScaler deployments. While the memory leak (WT-2025-0089) was determined to not be a realistic vulnerability, the broader trend of fragile memory management is concerning. By leveraging services like cyber threat intelligence platforms, breach detection, and , organizations can strengthen their defenses and mitigate potential risks associated with these vulnerabilities. The fact that an XSS could be exploited via CSRF also underscores the importance of secure coding practices and continuous monitoring.
If you want to learn more about how PurpleOps can help your organization secure its Citrix NetScaler environment and improve its overall security posture, explore our PurpleOps Solutions or contact us for more information at https://www.purple-ops.io/platform/.
FAQ
Q: What is CitrixBleed2?
A: CitrixBleed2 (CVE-2025-5777) is a memory leak vulnerability affecting Citrix NetScaler appliances that allows for the disclosure of memory contents pre-authentication.
Q: What is CVE-2025-12101?
A: CVE-2025-12101 is a reflected XSS vulnerability within the single sign-on (SSO) flows of Citrix NetScaler, specifically in the usage of the RelayState parameter.
Q: How can CVE-2025-12101 be exploited?
A: CVE-2025-12101 can be exploited via CSRF by injecting a malicious payload into the RelayState parameter of a crafted HTTP POST request to the /cgi/logout endpoint.
Q: Is the memory leak (WT-2025-0089) a significant threat?
A: Citrix has determined that the memory leak (WT-2025-0089) is not a realistic vulnerability and will not be assigned a CVE, but the broader trend of fragile memory management is concerning.
Q: What can organizations do to protect themselves from these vulnerabilities?
A: Organizations should implement configuration audits, input validation, CSRF protection, and timely patching of Citrix NetScaler appliances. They should also consider implementing a supply-chain risk monitoring program.