LoFP / legitimate authentication flows will trigger this detection as they access the doauthentication.do endpoint. however, repeated automated requests, especially from headlesschrome user agents or with incomplete form data, should be investigated. focus on unusual patterns like multiple rapid requests or non-standard user agents.

Techniques

• T1190

Sample rules

Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure

• source: splunk
• technicques:
  • T1190

Description

This detection identifies potential exploitation attempts of CVE-2025-5777 (CitrixBleed 2), a memory disclosure vulnerability in Citrix NetScaler ADC and Gateway. The vulnerability is triggered by sending POST requests with incomplete form data to the /p/u/doAuthentication.do endpoint, causing the device to leak memory contents including session tokens and authentication materials. This search looks for POST requests to the vulnerable endpoint that may indicate scanning or exploitation attempts.

Detection logic

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where
Web.url IN ("*/p/u/doAuthentication.do*")
Web.http_method="POST"
Web.status=200
by Web.http_user_agent, Web.status, Web.http_method,
   Web.url, Web.url_length, Web.src, Web.dest, sourcetype

| `drop_dm_object_name("Web")`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `citrix_adc_and_gateway_citrixbleed_2_memory_disclosure_filter`