Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt

name: Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
id: 93db24a0-fd21-45d7-9daf-84afd5a8cca2
version: 5
date: '2026-03-10'
author: Michael Haag, Nasreddine Bencherchali, Splunk, Talos NTDR
status: production
type: TTP
description: |
    This analytic detects exploitation activity of CVE-2025-5777 using Cisco Secure Firewall Intrusion Events.
    It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 65118 (Citrix NetScaler memory overread attempt) is triggered
    If confirmed malicious, this behavior is highly indicative of a potential exploitation of CVE-2025-5777.
data_source:
    - Cisco Secure Firewall Threat Defense Intrusion Event
search: |
    `cisco_secure_firewall`
    EventType=IntrusionEvent
    signature_id = 65118
    | fillnull
    | stats min(_time) as firstTime
            max(_time) as lastTime
            values(signature_id) as signature_id
            values(signature) as signature
            values(class_desc) as class_desc
            values(MitreAttackGroups) as MitreAttackGroups
            values(InlineResult) as InlineResult
            values(InlineResultReason) as InlineResultReason
            values(src) as src
            values(dest_port) as dest_port
            values(rule) as rule
            values(transport) as transport
            values(app) as app
            by dest
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `cisco_secure_firewall___citrix_netscaler_memory_overread_attempt_filter`
how_to_implement: |
    This search requires Cisco Secure Firewall Threat Defense Logs, which
    includes the FileEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
    We strongly recommend that you specify your environment-specific configurations
    (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
    with configurations for your Splunk environment. The search also uses a post-filter
    macro designed to filter out known false positives.
    The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
    The malware & file access policy must also enable logging.
known_false_positives: |
    Security testing or vulnerability scanners might trigger this. Investigate any potential
    matches to determine if they're legitimate.
references:
    - https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
    - https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
    - https://www.netscaler.com/blog/news/critical-security-updates-for-netscaler-netscaler-gateway-and-netscaler-console/
    - https://github.com/mingshenhk/CitrixBleed-2-CVE-2025-5777-PoC-
    - https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/
    - https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/
    - https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-5777.yaml
drilldown_searches:
    - name: View the detection results for - "$src$" and "$dest$"
      search: '%original_detection_search% | search src="$src$" dest="$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$src$" and "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: Potential exploitation of CVE-2025-5777 from $src$
    risk_objects:
        - field: dest
          type: system
          score: 50
    threat_objects:
        - field: src
          type: system
tags:
    analytic_story:
        - Cisco Secure Firewall Threat Defense Analytics
        - Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777
    asset_type: Endpoint
    mitre_attack_id:
        - T1203
        - T1059
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/intrusion_event/intrusion_events.log
          source: not_applicable
          sourcetype: cisco:sfw:estreamer