This detection rule is designed to identify attempts to exploit CVE-2025-5777, a critical memory disclosure vulnerability in Citrix NetScaler ADC and Gateway, often referred to as CitrixBleed 2. The vulnerability arises when attackers send crafted POST requests with incomplete form data to the '/p/u/doAuthentication.do' endpoint. This action can inadvertently leak sensitive memory contents including session tokens and authentication credentials. The rule utilizes data from Suricata, particularly monitoring HTTP POST requests and filtering for specific conditions, such as the target URL and successful status codes. The implementation requires integrating web traffic logs from the Citrix ADC and Gateway into Splunk, ensuring that these logs are properly aligned with the Web data model to track potential exploitation activity. Users are advised to be cautious of legitimate traffic that may trigger the detection, specifically focusing on patterns indicative of automated tool usage or atypical user agents that may accompany the attack. Notable references and associated information about the vulnerability can be found in the supporting links provided, detailing the nature and remediation of the CitrixBleed 2 issue.