Skip to content
feed: live about
>_ 0dayNews
ransomware
● Breaking

Anubis ransomware seen exploiting Citrix Bleed 2 for initial access

The Hacker News reports Anubis-ransomware affiliates using Citrix Bleed 2 (CVE-2025-5777) to breach NetScaler-fronted environments, then pivoting with legit RMM, BYOVD, and stolen supply-chain credentials.

airgap · Published · 3 min read

Confirmed reporting, not confirmed by Citrix. The Hacker News on July 2 reported that affiliates tied to the Anubis ransomware operation have been observed exploiting Citrix Bleed 2 — CVE-2025-5777 — as an initial-access vector against internet-facing NetScaler ADC and NetScaler Gateway appliances. Same story, second act. First Citrix Bleed (CVE-2023-4966) taught ransomware crews that a NetScaler memory-disclosure bug plus a valid session token is enough to walk past MFA. Citrix Bleed 2 is that lesson, one CVE year later.

What was reported

  • Initial access: exploitation of CVE-2025-5777 against unpatched NetScaler ADC / NetScaler Gateway appliances exposed to the internet. Confidence: high as reported; The Hacker News attributes it to threat intel on Anubis-affiliate activity. Vendor (Citrix) has not, as of this writing, published a fresh advisory on the ransomware angle beyond its existing bulletin for the CVE.
  • Post-access tradecraft: legitimate Remote Management and Monitoring (RMM) tooling, credential access, hands-on-keyboard lateral movement. The Hacker News summary calls out this pattern as common across affiliates even where the specifics differ.
  • Adjacent techniques: Bring-Your-Own-Vulnerable-Driver (BYOVD) for endpoint-defense evasion, and stolen supply-chain credentials as an alternative initial-access path. Not every intrusion uses all three; the point is the toolkit.

Why this one hurts

Citrix Bleed 2 is a memory-disclosure flaw in the NetScaler ADC / Gateway HTTP surface — the same class as the original Citrix Bleed. When exploited, it lets an unauthenticated attacker read back memory contents from the appliance, and in practice that memory holds live session tokens for authenticated users. The token is the whole thing. Once an attacker replays a valid session, MFA is not in the loop anymore — the second factor already fired for the legitimate user.

That’s the operational reality ransomware affiliates like Anubis are working with. They don’t need your password. They need one live token, one management interface exposed to the internet, and an unpatched build.

What to actually do

If you run NetScaler ADC or NetScaler Gateway, and you are behind on the vendor’s fixed builds for CVE-2025-5777:

  • Patch this week. Citrix’s advisory for CVE-2025-5777 lists the fixed builds — apply them across every appliance. See the Citrix security bulletin index for the current entry.
  • Terminate active ICA and PCoIP sessions after patching. This is the same post-patch instruction Citrix issued for Citrix Bleed 1: patching stops the bleed but does not invalidate tokens attackers already siphoned. Old sessions remain replayable until you kill them.
  • Rotate any credentials the appliance held or brokered. SAML signing keys, LDAP bind creds, service-account passwords used for backend auth — assume anything reachable from the box is reachable now.
  • Sweep your RMM inventory. If Anubis-adjacent tradecraft is landing in your environment, an authorized-looking RMM agent is likely how they persist. Confirm every deployed RMM instance is one you actually own.

If your management interface is reachable from the public internet, that is the underlying problem this bug is exercising — patch or no patch. Same story as F5 iControl REST, the FortiOS/FortiProxy auth-bypass, and Ivanti Connect Secure’s chained zero-days before it.

Watching for

  • Citrix or CSIRT-level guidance specifically calling out Anubis TTPs against NetScaler estates. Unconfirmed at time of publication — treat accordingly.
  • A CISA update to the KEV entry for CVE-2025-5777 reflecting ransomware-associated exploitation. The CVE is already on the KEV catalog; an activity-based amendment would raise remediation urgency for federal civilian agencies.
  • Overlap between Anubis-affiliate infrastructure and the FortiBleed/Lynx credential-theft campaigns tracked by The Hacker News the same week. Multiple crews leaning on the same initial-access catalog is the pattern to watch.

Sourcing

Found this useful? Share it.