Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
281 Android VPN Apps Leak Sensitive Data, Transfer Data Unencrypted
July 11, 2026
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Critical OpenClaw Vulnerability Lets Attackers Hijack WhatsApp Via One Message
July 11, 2026
Home/Threats/Critical Citrix Bleed Vulnerability Exploited for Ransomware Attacks
Threats

Critical Citrix Bleed Vulnerability Exploited for Ransomware Attacks

Key Takeaways A critical vulnerability, CitrixBleed 2 (CVE-2025-5777), in Citrix NetScaler ADC and Gateway appliances is being actively exploited for ransomware attacks. The flaw allows attackers to...

David kimber
David kimber
July 11, 2026 5 Min Read
2 0

Key Takeaways

  • A critical vulnerability, CitrixBleed 2 (CVE-2025-5777), in Citrix NetScaler ADC and Gateway appliances is being actively exploited for ransomware attacks.
  • The flaw allows attackers to steal active session tokens before user authentication, bypassing multi-factor authentication.
  • Attackers can escalate privileges and deploy ransomware, such as DragonForce, in less than an hour after initial access.
  • Affected organizations must not only patch but also terminate all active sessions and rigorously audit their environments for signs of compromise.

A severe vulnerability within Citrix systems is enabling threat actors to rapidly transition from an internet-exposed gateway to a full-blown ransomware incident. This critical flaw, dubbed CitrixBleed 2 and identified as CVE-2025-5777, allows attackers to extract sensitive memory data from vulnerable NetScaler ADC and Gateway appliances before any user authentication occurs. This pre-authentication memory exposure enables attackers to harvest and reuse active session tokens, effectively bypassing traditional login credentials and multi-factor authentication (MFA).

Table Of Content

  • Key Takeaways
  • The Seven-Stage Attack Playbook
  • Hackers Can Go From CitrixBleed 2 Exploitation to Ransomware in Under an Hour
  • Containment Cannot Wait
  • What You Should Do

The exploitation of this vulnerability doesn’t require users to input passwords or approve sign-in requests. Instead, specially crafted, malformed login requests can cause the appliance to leak small fragments of its memory. These leaked fragments contain crucial information, including active session tokens, which an attacker can then leverage to hijack existing authenticated sessions.

Once an attacker gains access to a live authenticated session, they can escalate their privileges from a standard user to full administrative control within a compromised Windows environment. This rapid escalation poses a significant threat to organizational networks.

The Seven-Stage Attack Playbook

Between January and June 2026, security researchers at Huntress analyzed half a dozen distinct intrusions across various organizations. They identified a consistent, seven-stage attack methodology, indicating a coordinated and standardized operation rather than isolated opportunistic events. Huntress said in a report that all incidents shared the same initial access vector, privilege escalation techniques, creation of rogue accounts, and the deployment of specific remote-control tools.

The speed of these attacks is particularly alarming. In one documented case, the attacker progressed from gaining initial access to deploying ransomware in less than an hour. The sophisticated DragonForce ransomware was utilized in the most advanced of these observed intrusions.

Hackers Can Go From CitrixBleed 2 Exploitation to Ransomware in Under an Hour

CitrixBleed 2 is a memory-overread vulnerability affecting NetScaler systems configured as either Gateway or AAA virtual servers. This flaw is accessible without authentication through specific login endpoints, such as pudoAuthentication.do, when a POST request contains an empty login parameter. Researchers noted that initial attack traffic might resemble a password-spraying attempt due to a high volume of failed login events.

However, further analysis by Huntress revealed thousands of “AAA LOGINFAILED” events containing unusual, non-printable data in the User field. This data was not invalid usernames but rather leaked memory fragments containing critical information like HTTP headers, certificate material, and internal traffic details. The primary risk associated with this vulnerability is session theft. In one instance, a legitimate user successfully completed LDAP and multi-factor authentication from a known IP address. Just 21 minutes later, the same session was observed to be active from an attacker’s IP address, without any successful login by the attacker. This demonstrates how replaying a stolen session token renders multi-factor authentication ineffective, as the session has already been verified.

Following session hijacking, attackers typically deploy a portable Windows privilege-escalation tool to achieve SYSTEM-level access. This tool exploits a registry symbolic link, forces a Group Policy update, and initiates the Application Management service (AppMgmt). Subsequently, it creates a new local administrator account and then meticulously removes registry changes to hinder forensic investigations. The observed attack chain remained consistent across all victim organizations.

Attackers commonly installed remote-management software, accessed the environment via RDP, conducted reconnaissance of hosts and sessions, and, in the most advanced cases, executed the DragonForce ransomware executable, encrypting the compromised environment.

Containment Cannot Wait

The observed attack patterns underscore that patching alone is insufficient after a suspected CitrixBleed 2 exploitation. Stolen session tokens can remain valid even after a vulnerable appliance has been patched. Therefore, organizations must immediately terminate all outstanding sessions on systems that were vulnerable to CVE-2025-5777. It is also crucial to verify that exposed NetScaler services have been successfully patched, as incomplete remediation has allowed attackers to regain access in previous incidents.

Effective log preservation is equally vital. NetScaler logs can rotate quickly, providing only a narrow window to detect malformed login requests, memory leakage, session anomalies, and other diagnostic messages indicative of an attack. Forwarding appliance logs to a Security Information and Event Management (SIEM) system or another centralized repository significantly enhances the ability of incident responders to reconstruct an intrusion before critical evidence is lost.

Administrators should thoroughly review their Citrix environments for any unexpected accounts, specifically looking for ctxsvc, CtxAppVCOMService, and generic test accounts. Any suspicious test accounts should be verified for legitimacy. Furthermore, organizations must investigate any unscheduled installations of remote-management software like ScreenConnect or Zoho Assist. Comparing client-host details against remote-session records, including printer-mapping events, can help identify the operator’s workstation name. While swift isolation successfully limited encryption to a single host in the ransomware incident, the overarching lesson emphasizes the importance of both proactive prevention and rapid response. Organizations operating exposed NetScaler gateways must patch immediately, maintain comprehensive logs, terminate all active sessions, and actively search for the indicators of compromise listed below. A sudden surge of unusual failed login attempts should be treated as a potential memory-theft event, not merely a routine password attack.

What You Should Do

  • Patch Immediately: Ensure all Citrix NetScaler ADC and Gateway appliances are updated to the latest patched versions that address CVE-2025-5777.
  • Terminate All Sessions: After patching, force the termination of all active sessions on vulnerable NetScaler appliances. Stolen session tokens can persist even after a patch.
  • Review Logs Thoroughly: Investigate NetScaler logs for anomalies, especially a high volume of “AAA LOGINFAILED” events with unusual, non-printable data in the User field. Forward logs to a SIEM for long-term retention and analysis.
  • Audit User Accounts: Look for newly created or suspicious accounts, particularly ctxsvc, CtxAppVCOMService, and generic test accounts. Verify the legitimacy of any such accounts.
  • Check for Unauthorized Software: Scan for unexpected installations of remote-management tools like ScreenConnect (Us.msi, SC.msi) or Zoho Assist (za.msi).
  • Monitor for Privilege Escalation Tools: Look for the execution of privilege escalation tools, often named eng.exe, legal.exe, exsym.exe, as.exe, or exp6.exe.
  • Monitor Network Traffic: Watch for connections to suspicious domains associated with ScreenConnect relays (e.g., relay.dltsolutions[.]top, relay.eurofin[.]digital, vpts[.]us) or NetBird relays (e.g., opa.tlsd[.]shop).
  • Implement Stronger Session Management: Consider shorter session timeouts and more frequent re-authentication requirements for critical systems.

Indicators of Compromise (IoCs):-

Type Indicator Description
Adversary account ctxsvc Account created or used by the adversary <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/edf2399b-2d39-4a96-b5d0-5451d5307477/Hackers-Can-Go-From-CitrixBleed-2-Exploitation-to-Ransomware-in-Under-an-Hour.pdf?AWSAccessKeyId=ASIA2F3EMEYE7MAYLGRG&Signature=%2F26lO%2BxT0NAQ%2Bc1ihKLWtSm0l78%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEO3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIDG%2BE%2BEvOyoaPiig0oi9rCrs0NhxaXKgNV8dPr3WPZO1AiADjnDeWM7YlQFuvMJa894cu%2FY67Z9Zd8iv7zLz%2BZZ0fyr8BAi2%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDY5OTc1MzMwOTcwNSIMxNyCWw%2FEZ5DSkZUnKtAE8ZXr4lr2%2BS85YchTyW1ORw89UvrQGER%2F7qvUtas%2BsUl%2Fy8%2F1WNJGhxe%2B%2F%2FdkSKsrILjZ64g42B25PWuzjkE1DIgxG7W4VYF8%2FQ48bYtd6OEoraOYh8qx9yioJJkMXmqb4th00t%2FrQN%2Fn9u3oBJIpz7j7so%2B%2BSWaC5Lg1fgkZzWMqnCPQ1YGpDgM%2BsM57iMXm1NYWK3NIS20GMgyFySi2tWgllEqVXUliG0wc1vCjm%2BVoOAhx7Jwy3CSNRzp%2BIuBcbXY9vrJniqGYZBHZNi%2FMG9qGCWrJYMn851Tjp7r3v5H47LMICyw6d2K66Y%2Bn6%2Fwu%2BeJZ9evXbdYqEucRyPvRfDEBfnuTMG2DMNObz73kiHwX1Ymw9uPp%2F0kPD2WQ5NoHA6YDIEt5r%2BAfju79xchn8LyBLw6%2FNdBFHrl%2Fb

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitHackerPatchransomwareSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Linux Kernel FUSE Vulnerability (CVE-2023-XXXX) Lets Attackers Gain Root Privileges

Next Post

Progress Urges ShareFile Server Shutdown Over Critical Vulnerability

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Linux Kernel FUSE Vulnerability (CVE-2023-XXXX) Lets Attackers Gain Root Privileges
July 10, 2026
Critical GNU Guix Vulnerabilities Let Attackers Elevate Privileges
July 10, 2026
Critical Windows Shortcut Vulnerability Allows Remote Code Execution
July 10, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us