Is It CitrixBleed4? Well, No. Is It Good? Also, No. (Citrix NetScaler Memory Leak & RXSS CVE-2025-12101)
Estimated reading time: 10 minutes
Key Takeaways:
- Identified a memory leak and a reflected XSS vulnerability in Citrix NetScaler appliances.
- The memory leak, while present, is unlikely to be a significant real-world threat.
- CVE-2025-12101, a reflected XSS vulnerability, was found in the Single Sign-On (SSO) flows.
- Proper configuration audits, patch management, and input validation are crucial.
- PurpleOps can assist with breach detection, supply-chain risk monitoring, and more.
Table of Contents:
- Citrix NetScaler Memory Leak & RXSS CVE-2025-12101
- CitrixBleed2
- WT-2025-0089 – The Memory Leak, Explained
- How Do We Feel About This?
- WT-2025-0090 – SAML RelayState Reflected XSS
- Timeline
- Practical Takeaways
- How PurpleOps Can Help
- FAQ
The world of vulnerability research often feels like a delicate balance between chaos and order, demanding a keen eye for detail and a willingness to explore the unknown. Sometimes, significant vulnerabilities are discovered through meticulous analysis. Other times, they’re stumbled upon by accident. Today, we’re diving into a recent discovery by watchTowr Labs involving Citrix NetScaler appliances, specifically a memory leak and a reflected cross-site scripting (RXSS) vulnerability, CVE-2025-12101.
Citrix NetScaler Memory Leak & RXSS CVE-2025-12101
This blog post will discuss two vulnerabilities identified in Citrix NetScaler appliances by watchTowr Labs. While the memory leak was deemed not a significant real-world threat and was not assigned a CVE, the reflected XSS vulnerability was assigned CVE-2025-12101. We’ll break down the technical details of each, assess the potential impact, and explore the broader implications for organizations using Citrix NetScaler.
CitrixBleed2
In August 2025, watchTowr Labs triggered a rapid response event for CitrixBleed2 (CVE-2025-5777), a memory leak vulnerability affecting Citrix NetScaler appliances. CitrixBleed2, the second iteration of the original CitrixBleed, allowed for the unauthorized disclosure of memory, potentially leading to the exposure of sensitive information like SSLVPN session IDs. It was reportedly weaponized trivially by identifying SSLVPN session IDs (and similar) contained within leaked memory, and played a role in the compromise of numerous organizations. While investigating CitrixBleed2, researchers at watchTowr Labs uncovered two additional vulnerabilities:
- WT-2025-0089 – Memory Leak (no CVE assigned)
- WT-2025-0090 – Reflected XSS (CVE-2025-12101)
It’s important to note that the memory leak (WT-2025-0089) is *not* another instance of CitrixBleed. However, its existence points to a recurring theme of memory management issues within Citrix NetScaler appliances, even resulting from unintentional misconfigurations.
WT-2025-0089 – The Memory Leak, Explained
During the analysis of CitrixBleed2, the watchTowr team became extensively familiar with Citrix NetScaler configurations, particularly the AAA feature. AAA, which stands for Authentication, Authorization, and Auditing, is a security framework that controls who can access a network, what resources they can use, and their activities while using those resources. In essence, it’s the gatekeeper for Citrix environments.
While configuring AAA, the team inadvertently skipped a step, resulting in a condition that caused the appliance to leak memory. Specifically, creating a new AAA virtual server via the web interface without enabling the feature via the command-line interface (CLI) resulted in browsing to the root / page of the web interface returning a helpful error message (UX is important!), and leaked memory.
To reproduce this issue:
- Create a new AAA virtual server via the web interface.
- Without enabling the feature via CLI, the root page of the web interface will start leaking memory.
For context, the feature is normally enabled via the CLI.
How Do We Feel About This?
While a memory leak is never a welcome discovery, the specific circumstances required to trigger this vulnerability make it unlikely to be a significant concern in real-world scenarios. The researchers noted that finding this misconfiguration in an internet-exposed environment is improbable. Citrix also shared this view, leading them to decide against assigning a CVE.
However, the discovery highlights a broader concern: the apparent fragility of memory management within Citrix NetScaler appliances. The fact that a simple misconfiguration can lead to memory disclosure raises questions about the underlying architecture and design choices.
WT-2025-0090 – SAML RelayState Reflected XSS
In addition to the memory leak, watchTowr Labs identified a reflected XSS vulnerability (CVE-2025-12101) within the Single Sign-On (SSO) flows of Citrix NetScaler, specifically related to the RelayState parameter.
The RelayState parameter is used to redirect a user back to the originally requested resource after authentication. The researchers discovered that this parameter was vulnerable to an open redirect, potentially allowing attackers to redirect users to malicious websites.
By manipulating the RelayState parameter with base64 encoded XSS payloads, attackers could inject arbitrary JavaScript code into the context of the NetScaler appliance.
For example, a specially crafted HTTP POST request to /cgi/logout could exploit this vulnerability:
POST /cgi/logout HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Host: target
Content-Type: application/x-www-form-urlencoded
Content-Length: 1669
SAMLResponse=[BASE64-Generic-SAML-Response]&RelayState=DQpDb250ZW50LVR5cGU6IHRleHQvaHRtbA0KDQoNCjxzdmcvb25sb2FkPWFsZXJ0KDEpPg==
In this example, the RelayState parameter contains a base64 encoded string that, when decoded, represents an HTML <svg> tag with an onload event that executes JavaScript code (alert(1)).
While this vulnerability may not appear immediately exploitable, it can be leveraged through Cross-Site Request Forgery (CSRF) attacks. The /cgi/logout endpoint on NetScaler accepts HTTP POST requests with a valid SAMLResponse and a modified RelayState, making it susceptible to CSRF attacks.
Timeline
- August 27th, 2025: watchTowr discloses WT-2025-0089 to Cloud Software Group PSIRT.
- August 28th, 2025: watchTowr discloses WT-2025-0090 to Cloud Software Group PSIRT.
- September 2nd, 2025: Cloud Software Group PSIRT acknowledges report.
- October 24th, 2025: Cloud Software Group PSIRT confirms that WT-2025-0089 is not a realistic vulnerability and will not be assigned a CVE.
- November 5th, 2025: Cloud Software Group PSIRT confirms the fix for WT-2025-0090 is scheduled to be published.
- November 11th, 2025: CVE-2025-12101 assigned to WT-2025-0090.
- November 11th, 2025: CVE-2025-12101 published.
- November 12th, 2025: watchTowr publishes research.
Practical Takeaways
- Configuration Audits: Regularly audit Citrix NetScaler configurations to identify potential misconfigurations that could lead to unexpected vulnerabilities.
- Patch Management: Maintain an up-to-date patch management process to address security vulnerabilities promptly.
- Input Validation: Implement robust input validation techniques to prevent injection attacks, such as XSS.
- Defense in Depth: Employ a defense-in-depth strategy to mitigate the impact of potential vulnerabilities.
- CSRF Protection: Implement CSRF protection mechanisms to prevent attackers from exploiting vulnerabilities through cross-site request forgery.
This vulnerability highlights the importance of maintaining a proactive security posture and staying informed about emerging threats. Implementing security best practices, such as regular patching, strong access controls, and continuous monitoring, can significantly reduce the risk of exploitation.
How PurpleOps Can Help
PurpleOps provides a range of cybersecurity services that can help organizations protect themselves from vulnerabilities like CVE-2025-12101. Our services include:
- Breach detection: We can help you detect and respond to breaches quickly and effectively.
- Supply-chain risk monitoring: We can help you monitor your supply chain for risks and vulnerabilities.
- Dark web monitoring service: Our dark web monitoring service can help you identify threats and protect your data from being leaked or sold on the dark web.
- Underground forum intelligence: We provide intelligence gathered from underground forums to help you stay ahead of emerging threats.
- Brand leak alerting: We can help you protect your brand by alerting you to potential brand leaks.
Our Cyber Threat Intelligence Platform provides real-time insights into emerging threats, including vulnerabilities like CVE-2025-12101. We offer real-time ransomware intelligence to protect your organization against ransomware attacks. Our platform acts as a cyber threat intelligence platform, providing comprehensive threat intelligence to help you stay ahead of potential threats.
For organizations seeking proactive security measures, PurpleOps provides red team operations and penetration testing services to identify and remediate vulnerabilities before they can be exploited by attackers. We also offer supply chain information security assessments to evaluate and improve the security posture of your vendors and partners.
To learn more about how PurpleOps can help you protect your organization from cybersecurity threats, visit our PurpleOps Solutions or contact us for more information.
FAQ
Q: What is CVE-2025-12101?
A: CVE-2025-12101 is a reflected XSS vulnerability found in the Single Sign-On (SSO) flows of Citrix NetScaler, specifically related to the RelayState parameter.
Q: Is the memory leak (WT-2025-0089) a significant threat?
A: While a memory leak exists, the specific circumstances required to trigger it make it unlikely to be a significant concern in real-world scenarios. Citrix also shares this view.
Q: How can PurpleOps help protect against vulnerabilities like CVE-2025-12101?
A: PurpleOps provides services like breach detection, supply-chain risk monitoring, dark web monitoring, and cyber threat intelligence to help organizations protect themselves.