by datastudy.nl

Field notes for teams tracking critical CVEs and major incidents

Engineering

Citrix Bleed 2 turns ransomware into identity theft

Citrix Bleed 2 is now an Anubis ransomware access path. Patch NetScaler, kill sessions, and hunt RMM plus credential abuse.

Citrix Bleed 2 timeline showing 23 days from Citrix advisory to CISA KEV, 1 day for the CISA remediation window, and 378 days to the Anubis ransomware report.
Citrix Bleed 2 moved from Citrix advisory to CISA KEV in 23 days, carried a 1 day federal remediation window, and appeared in Arctic Wolf Anubis ransomware reporting 378 days after disclosure. Source: Citrix, NVD CISA KEV entry, and Arctic Wolf Labs. Data Today benchmark.

Citrix Bleed 2 now has the thing every edge appliance bug should fear: ransomware operators treating it as an identity source instead of a one-time exploit.

If you run NetScaler ADC or NetScaler Gateway, your patch ticket is the easy part. Your harder job is proving stolen sessions, VPN credentials, RMM agents, and backup paths did not survive the patch.

Citrix Bleed 2 is the industry nickname for CVE-2025-5777, a critical NetScaler ADC and NetScaler Gateway flaw that can expose memory when the appliance is configured as a Gateway or AAA virtual server. Citrix scored it 9.3 under CVSS v4.0 and told customers to install fixed builds, then terminate active ICA and PCoIP sessions after upgrading the high availability pair or cluster in its June 17, 2025 security bulletin. That session-kill instruction is the giveaway. This class of bug can leave stolen access material behind after the vulnerable appliance is fixed.

The new operator signal comes from Arctic Wolf Labs, which said on June 30, 2026 that it investigated Anubis ransomware intrusions in 2026 involving both valid VPN credential use and exploitation of Citrix Bleed 2 in its Anubis tradecraft report. The July 2 Hacker News roundup made the broader pattern plain: ransomware crews are mixing edge appliance exploitation, bring your own vulnerable driver behavior, and supply chain credential theft into one practical access economy.

That should change how you triage this. Treat Citrix Bleed 2 as an identity incident with a network appliance entry point.

What actually happened with Citrix Bleed 2 and Anubis?

The core vulnerability is narrow on paper and ugly in production. CVE-2025-5777 affects NetScaler ADC and NetScaler Gateway only under specific configurations: Gateway modes such as VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or an AAA virtual server, according to the Citrix advisory. The fixed versions Citrix listed were NetScaler ADC and Gateway 14.1-43.56 and later, 13.1-58.32 and later, NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later, and NetScaler ADC 12.1-FIPS 12.1-55.328 and later.

CISA later put CVE-2025-5777 in the Known Exploited Vulnerabilities catalog with a date added of July 10, 2025 and a due date of July 11, 2025, as mirrored in the NVD entry for CVE-2025-5777. One day is not a leisurely patch cycle. It is the government version of a smoke alarm.

The timeline matters because ransomware operators do not need to win on day one forever. They need enough organizations to patch late, skip session invalidation, or fail to rotate the credentials exposed through the appliance. The chart below shows the practical clock operators were handed: 23 days from Citrix publication to CISA KEV, 1 day for the KEV remediation window, and 378 days from Citrix publication to Arctic Wolf's public Anubis report.

Bar chart for Citrix Bleed 2 showing 23 days from Citrix advisory to CISA KEV, 1 day from CISA KEV addition to due date, and 378 days from Citrix advisory to the Arctic Wolf Anubis ransomware report.
Citrix Bleed 2 timeline based on Citrix publication, CISA KEV dates mirrored by NVD, and Arctic Wolf's Anubis report: 23 days to KEV, 1 day to the KEV due date, and 378 days to public Anubis ransomware reporting. Source: Citrix, NVD CISA KEV entry, and Arctic Wolf Labs. Data Today benchmark.

Arctic Wolf's Anubis cases show why the edge bug becomes a full environment problem. Across the intrusions it reviewed, initial access generally fell into two buckets: valid VPN credentials and exploitation of remote vulnerabilities such as Citrix Bleed 2, with the latter capable of exposing session material and creating a path to session hijacking and MFA bypass when valid tokens are obtained, according to the same Arctic Wolf report. After access, the behavior looked less like a movie hacker and more like a bad admin day: RDP, SMB, PsExec, RMM tooling, credential dumping, cloud transfer utilities, and then encryption.

The tool list is the operator impact. Arctic Wolf observed legitimate remote management tools including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, Total Software Deployment, and mRemoteNG in Anubis activity. It also reported credential access artifacts including Mimikatz staging, browser password exports, and an Active Directory ntds.dit copy that was followed by an Active Directory.zip archive within a minute. In one representative case, encryption began within less than an hour of ntds.dit extraction.

That is why a green vulnerability scanner result is weak comfort. The attacker may have moved from the appliance to your identity plane before the scan ever changed color.

Why does this become a credential problem after patching?

Edge appliances sit where your clean architecture diagrams get mugged by reality. They terminate sessions, broker remote access, front sensitive apps, and often talk to identity systems. A memory disclosure on that boundary can produce the material attackers need to look like a user who already passed the front door.

Citrix's own remediation language says the quiet part. After upgrading all NetScaler appliances in an HA pair or cluster, Citrix recommends running kill icaconnection -all and kill pcoipConnection -all to terminate active sessions in the vendor bulletin. If your runbook ended at firmware or build number, it likely left the more important question unanswered: which sessions, cookies, tokens, and credentials should now be distrusted?

For operators, the blast radius breaks into four practical workstreams:

  • Session cleanup: terminate active Citrix sessions after upgrade, then force reauthentication for high-risk remote access groups.
  • Credential reset: rotate credentials for administrators, VPN users with anomalous access, service accounts touching NetScaler, and accounts seen in suspicious RDP or SMB chains.
  • RMM inventory: compare every installed remote tool against your approved list, then treat new ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and similar installs as incident evidence until cleared.
  • Backup isolation: inspect NAS, hypervisor, and backup management access because Arctic Wolf saw Anubis activity touch NAS storage, Hyper-V paths, backup-adjacent systems, and domain controllers.

This is where Citrix Bleed 2 rhymes with other edge gear incidents. The device is the entry point, but the compromise becomes durable through identity, tooling, and storage. That is the same operator lesson behind our earlier guide on CISA KEV edge gear pressure: appliances that mediate access deserve identity-grade incident response, not routine infrastructure patch handling.

The BYOVD angle adds a second reason to widen the hunt. Bring your own vulnerable driver attacks use legitimate signed drivers with exploitable flaws to gain kernel leverage, weaken endpoint security, or load malicious components. Microsoft says malicious actors exploit vulnerable legitimate signed kernel drivers, and its recommended control is the vulnerable driver blocklist plus App Control where feasible in its driver block rules documentation. If a ransomware affiliate already has admin-level access through stolen sessions or VPN credentials, BYOVD becomes a way to make your EDR argue from the floor.

The supply chain credential angle points at the same root problem: attackers want reusable trust. Arctic Wolf reported in March 2026 that TeamPCP targeted Trivy, Checkmarx KICS, and LiteLLM by pivoting with stolen CI/CD secrets and signing credentials, and said reports indicated at least 1,000 enterprise SaaS environments might be affected in its TeamPCP campaign bulletin. LiteLLM mattered because it often centralizes API keys for AI providers, cloud credentials, Kubernetes secrets, and other high-value environment material.

The common thread is boring and lethal: stolen credentials age better than exploits. An exploit gets patched. A token copied into a file, a browser export, a CI secret, or a service account password can keep paying rent.

What should you do in the next 24 hours?

Start with the appliance, then refuse to stop there.

First, confirm every customer-managed NetScaler ADC and NetScaler Gateway instance is on a fixed build. Citrix listed 14.1-43.56, 13.1-58.32, 13.1-37.235 for FIPS and NDcPP, and 12.1-55.328 for 12.1-FIPS as the relevant fixed build floors in its security bulletin. Also remember the two awkward cases: NetScaler 12.1 and 13.0 are end of life, and Secure Private Access on-prem or hybrid deployments using NetScaler instances also need upgrades.

Second, kill active ICA and PCoIP sessions after the full HA pair or cluster is upgraded. Do this as a tracked incident task, not a best-effort command pasted into a maintenance window. Record who ran it, when it ran, which appliances were covered, and which sessions were terminated.

Third, pull remote access logs into one view for at least the period starting June 17, 2025, then prioritize the last 30 days if your telemetry retention is short. Hunt for impossible or low-reputation access patterns: VPN logins from hosting providers, mismatches between expected broadband client IPs and source IPs, RDP from VPN ranges into domain controllers or hypervisors, and SMB activity that clusters around RMM installs.

Fourth, inventory RMM and remote admin software. You need an allowlist with owners, ticket references, and install dates. Anything else is suspicious. Arctic Wolf saw Anubis affiliates use multiple legitimate tools across reviewed intrusions, and the presence of several RMM products in a short window should be treated as a persistence pattern rather than normal IT variety.

Fifth, look for pre-encryption staging. That means C:\Users\Public, C:\PerfLogs, C:\Windows\Temp\netscan, user AppData, NAS paths such as /volume1/ and /volume2/, and cloud transfer tools such as rclone, s5cmd, WinSCP, PuTTY, and S3 Browser. Arctic Wolf reported S3 Browser, rclone, and s5cmd alongside RMM deployment, credential access, and security tool tampering in reviewed Anubis intrusions.

Sixth, harden drivers before you celebrate. Enable Microsoft's vulnerable driver blocklist where supported, validate App Control driver policies in audit mode before enforcement, and turn on the Defender Attack Surface Reduction rule that blocks abuse of exploited vulnerable signed drivers. Microsoft cautions that the ASR rule blocks writing vulnerable signed drivers to disk but does not stop an already present driver from loading, while the vulnerable driver blocklist or App Control policy can prevent existing blocked drivers from loading.

Seventh, rotate with prejudice. Prioritize NetScaler-connected admin accounts, VPN users with anomalous access, domain admins, backup operators, hypervisor admins, CI/CD tokens, cloud keys, and any credentials stored in browsers on administrator workstations. If that sounds expensive, compare it with restoring encrypted NAS volumes while explaining why MFA did not save a stolen session.

Which signals are worth alerting on before encryption?

Single indicators age quickly. Chains age slower.

The best alert here is a sequence: suspicious remote access, unusual RDP or SMB movement, unauthorized RMM deployment, credential access, security control tampering, exfiltration tooling, and staged ransomware execution. Arctic Wolf described that exact sequence as the key defensive pattern in the Anubis intrusions it reviewed.

Turn that into detections your team can actually run:

  • New RMM installation on a server, followed by PsExec service creation within 24 hours.
  • RDP from VPN client ranges into domain controllers, hypervisors, file servers, or backup servers outside approved admin windows.
  • Browser password export filenames such as Chrome Passwords.csv or Microsoft Edge Passwords.csv on servers.
  • ntds.dit copy activity followed quickly by archive creation, especially under unusual paths such as C:\audit\Active Directory\.
  • Cloud transfer tooling appearing on servers that have no business reason to run rclone, s5cmd, S3 Browser, WinSCP, or PuTTY.
  • Defender tamper events, log clearing, PCHunter artifacts, or attempted security agent uninstalls across multiple hosts.
  • Cloudflared, authenticated proxy tooling, or SSH dynamic forwarding from NAS or backup-adjacent systems.

Make the detections relational. A lone PuTTY binary is noise in many shops. PuTTY plus fresh RMM plus VPN login from a hosting ASN plus ntds.dit access is the house telling you the roof is on fire.

The edge box is now part of your identity perimeter

Citrix Bleed 2 is a useful reminder because it refuses to stay in the vulnerability management lane. The appliance bug is the opening move. The real campaign is a contest over sessions, credentials, admin tools, and backups.

If your organization treats NetScaler like a network device, you will patch it like a network device. If you treat it like part of the identity perimeter, you will rotate secrets, kill sessions, hunt RMM, and inspect the systems ransomware crews actually need to hurt you.

That second version is slower. It is also the one that matches the adversary.

Sources