Critical Citrix Bleed Vulnerability Exploited for Ransomware Attacks
Key Takeaways A critical vulnerability, CitrixBleed 2 (CVE-2025-5777), in Citrix NetScaler ADC and Gateway appliances is being actively exploited for ransomware attacks. The flaw allows attackers to...
Key Takeaways
- A critical vulnerability, CitrixBleed 2 (CVE-2025-5777), in Citrix NetScaler ADC and Gateway appliances is being actively exploited for ransomware attacks.
- The flaw allows attackers to steal active session tokens before user authentication, bypassing multi-factor authentication.
- Attackers can escalate privileges and deploy ransomware, such as DragonForce, in less than an hour after initial access.
- Affected organizations must not only patch but also terminate all active sessions and rigorously audit their environments for signs of compromise.
A severe vulnerability within Citrix systems is enabling threat actors to rapidly transition from an internet-exposed gateway to a full-blown ransomware incident. This critical flaw, dubbed CitrixBleed 2 and identified as CVE-2025-5777, allows attackers to extract sensitive memory data from vulnerable NetScaler ADC and Gateway appliances before any user authentication occurs. This pre-authentication memory exposure enables attackers to harvest and reuse active session tokens, effectively bypassing traditional login credentials and multi-factor authentication (MFA).
Table Of Content
The exploitation of this vulnerability doesn’t require users to input passwords or approve sign-in requests. Instead, specially crafted, malformed login requests can cause the appliance to leak small fragments of its memory. These leaked fragments contain crucial information, including active session tokens, which an attacker can then leverage to hijack existing authenticated sessions.
Once an attacker gains access to a live authenticated session, they can escalate their privileges from a standard user to full administrative control within a compromised Windows environment. This rapid escalation poses a significant threat to organizational networks.
The Seven-Stage Attack Playbook
Between January and June 2026, security researchers at Huntress analyzed half a dozen distinct intrusions across various organizations. They identified a consistent, seven-stage attack methodology, indicating a coordinated and standardized operation rather than isolated opportunistic events. Huntress said in a report that all incidents shared the same initial access vector, privilege escalation techniques, creation of rogue accounts, and the deployment of specific remote-control tools.
The speed of these attacks is particularly alarming. In one documented case, the attacker progressed from gaining initial access to deploying ransomware in less than an hour. The sophisticated DragonForce ransomware was utilized in the most advanced of these observed intrusions.
Hackers Can Go From CitrixBleed 2 Exploitation to Ransomware in Under an Hour
CitrixBleed 2 is a memory-overread vulnerability affecting NetScaler systems configured as either Gateway or AAA virtual servers. This flaw is accessible without authentication through specific login endpoints, such as pudoAuthentication.do, when a POST request contains an empty login parameter. Researchers noted that initial attack traffic might resemble a password-spraying attempt due to a high volume of failed login events.
However, further analysis by Huntress revealed thousands of “AAA LOGINFAILED” events containing unusual, non-printable data in the User field. This data was not invalid usernames but rather leaked memory fragments containing critical information like HTTP headers, certificate material, and internal traffic details. The primary risk associated with this vulnerability is session theft. In one instance, a legitimate user successfully completed LDAP and multi-factor authentication from a known IP address. Just 21 minutes later, the same session was observed to be active from an attacker’s IP address, without any successful login by the attacker. This demonstrates how replaying a stolen session token renders multi-factor authentication ineffective, as the session has already been verified.
Following session hijacking, attackers typically deploy a portable Windows privilege-escalation tool to achieve SYSTEM-level access. This tool exploits a registry symbolic link, forces a Group Policy update, and initiates the Application Management service (AppMgmt). Subsequently, it creates a new local administrator account and then meticulously removes registry changes to hinder forensic investigations. The observed attack chain remained consistent across all victim organizations.
Attackers commonly installed remote-management software, accessed the environment via RDP, conducted reconnaissance of hosts and sessions, and, in the most advanced cases, executed the DragonForce ransomware executable, encrypting the compromised environment.
Containment Cannot Wait
The observed attack patterns underscore that patching alone is insufficient after a suspected CitrixBleed 2 exploitation. Stolen session tokens can remain valid even after a vulnerable appliance has been patched. Therefore, organizations must immediately terminate all outstanding sessions on systems that were vulnerable to CVE-2025-5777. It is also crucial to verify that exposed NetScaler services have been successfully patched, as incomplete remediation has allowed attackers to regain access in previous incidents.
Effective log preservation is equally vital. NetScaler logs can rotate quickly, providing only a narrow window to detect malformed login requests, memory leakage, session anomalies, and other diagnostic messages indicative of an attack. Forwarding appliance logs to a Security Information and Event Management (SIEM) system or another centralized repository significantly enhances the ability of incident responders to reconstruct an intrusion before critical evidence is lost.
Administrators should thoroughly review their Citrix environments for any unexpected accounts, specifically looking for ctxsvc, CtxAppVCOMService, and generic test accounts. Any suspicious test accounts should be verified for legitimacy. Furthermore, organizations must investigate any unscheduled installations of remote-management software like ScreenConnect or Zoho Assist. Comparing client-host details against remote-session records, including printer-mapping events, can help identify the operator’s workstation name. While swift isolation successfully limited encryption to a single host in the ransomware incident, the overarching lesson emphasizes the importance of both proactive prevention and rapid response. Organizations operating exposed NetScaler gateways must patch immediately, maintain comprehensive logs, terminate all active sessions, and actively search for the indicators of compromise listed below. A sudden surge of unusual failed login attempts should be treated as a potential memory-theft event, not merely a routine password attack.
What You Should Do
- Patch Immediately: Ensure all Citrix NetScaler ADC and Gateway appliances are updated to the latest patched versions that address CVE-2025-5777.
- Terminate All Sessions: After patching, force the termination of all active sessions on vulnerable NetScaler appliances. Stolen session tokens can persist even after a patch.
- Review Logs Thoroughly: Investigate NetScaler logs for anomalies, especially a high volume of “AAA LOGINFAILED” events with unusual, non-printable data in the User field. Forward logs to a SIEM for long-term retention and analysis.
- Audit User Accounts: Look for newly created or suspicious accounts, particularly
ctxsvc,CtxAppVCOMService, and generictestaccounts. Verify the legitimacy of any such accounts. - Check for Unauthorized Software: Scan for unexpected installations of remote-management tools like ScreenConnect (
Us.msi,SC.msi) or Zoho Assist (za.msi). - Monitor for Privilege Escalation Tools: Look for the execution of privilege escalation tools, often named
eng.exe,legal.exe,exsym.exe,as.exe, orexp6.exe. - Monitor Network Traffic: Watch for connections to suspicious domains associated with ScreenConnect relays (e.g.,
relay.dltsolutions[.]top,relay.eurofin[.]digital,vpts[.]us) or NetBird relays (e.g.,opa.tlsd[.]shop). - Implement Stronger Session Management: Consider shorter session timeouts and more frequent re-authentication requirements for critical systems.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Adversary account | ctxsvc |
Account created or used by the adversary <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/edf2399b-2d39-4a96-b5d0-5451d5307477/Hackers-Can-Go-From-CitrixBleed-2-Exploitation-to-Ransomware-in-Under-an-Hour.pdf?AWSAccessKeyId=ASIA2F3EMEYE7MAYLGRG&Signature=%2F26lO%2BxT0NAQ%2Bc1ihKLWtSm0l78%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEO3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIDG%2BE%2BEvOyoaPiig0oi9rCrs0NhxaXKgNV8dPr3WPZO1AiADjnDeWM7YlQFuvMJa894cu%2FY67Z9Zd8iv7zLz%2BZZ0fyr8BAi2%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMxNyCWw%2FEZ5DSkZUnKtAE8ZXr4lr2%2BS85YchTyW1ORw89UvrQGER%2F7qvUtas%2BsUl%2Fy8%2F1WNJGhxe%2B%2F%2FdkSKsrILjZ64g42B25PWuzjkE1DIgxG7W4VYF8%2FQ48bYtd6OEoraOYh8qx9yioJJkMXmqb4th00t%2FrQN%2Fn9u3oBJIpz7j7so%2B%2BSWaC5Lg1fgkZzWMqnCPQ1YGpDgM%2BsM57iMXm1NYWK3NIS20GMgyFySi2tWgllEqVXUliG0wc1vCjm%2BVoOAhx7Jwy3CSNRzp%2BIuBcbXY9vrJniqGYZBHZNi%2FMG9qGCWrJYMn851Tjp7r3v5H47LMICyw6d2K66Y%2Bn6%2Fwu%2BeJZ9evXbdYqEucRyPvRfDEBfnuTMG2DMNObz73kiHwX1Ymw9uPp%2F0kPD2WQ5NoHA6YDIEt5r%2BAfju79xchn8LyBLw6%2FNdBFHrl%2Fb
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources. |



No Comment! Be the first one.