This detection rule aims to identify attempts to exploit CVE-2025-5777, which affects the Citrix NetScaler application. Leveraging Cisco Secure Firewall's Intrusion Events, the rule looks for instances where the Snort signature 65118 is triggered, indicating a potential memory overread attempt. If confirmed malicious, this behavior may signify that an attacker is trying to exploit the stated vulnerability. The detection takes place using logs specifically from Cisco Secure Firewall, encompassing correlated data around the source and destination IPs along with other event metadata to provide a comprehensive view of the incident. Additionally, the implementation nuances, potential false positives due to scanning activities, and a strong emphasis on environment-specific logging configurations are discussed to enhance the detection process.