Hackers Can Exploit CitrixBleed 2 and Deploy Ransomware in Under an Hour
Hackers are exploiting the critical CitrixBleed 2 vulnerability to steal authenticated NetScaler sessions, enter Windows environments and deploy ransomware in less than an hour.
Huntress investigated six attacks against unrelated organizations between January and June 2026. The security company found a repeatable seven-stage attack chain that began with CVE-2025-5777 exploitation and ended with remote access, privilege escalation and, in the most advanced case, DragonForce ransomware.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
In one incident detailed in the Huntress CitrixBleed 2 investigation, the attackers completed the exploitation process and deployed ransomware in under an hour. Rapid isolation limited encryption to a single host.
CitrixBleed 2 allows attackers to steal active sessions
CitrixBleed 2, tracked as CVE-2025-5777, is an out-of-bounds memory read vulnerability affecting certain NetScaler ADC and NetScaler Gateway appliances. It carries a critical CVSS score of 9.3.
The vulnerability affects appliances configured as a Gateway or AAA virtual server. An unauthenticated attacker can send specially crafted requests to a login endpoint and cause the appliance to return fragments of process memory.
Those fragments may contain valid session tokens belonging to users who have already completed password and multi-factor authentication checks. Citrix published affected versions and fixed releases in its CVE-2025-5777 security advisory.
| Product branch | Vulnerable versions | Fixed version |
|---|---|---|
| NetScaler ADC and Gateway 14.1 | Earlier than 14.1-43.56 | 14.1-43.56 or later |
| NetScaler ADC and Gateway 13.1 | Earlier than 13.1-58.32 | 13.1-58.32 or later |
| NetScaler ADC 13.1-FIPS and NDcPP | Earlier than 13.1-37.235 | 13.1-37.235 or later |
| NetScaler ADC 12.1-FIPS | Earlier than 12.1-55.328 | 12.1-55.328 or later |
NetScaler ADC and Gateway versions 12.1 and 13.0 have reached end of life. Organizations still running those branches should move to a supported release rather than relying on an unavailable security update.
Malformed login requests can resemble password spraying
The initial CitrixBleed 2 traffic may look like a large password-spraying campaign. Huntress found thousands of failed login events generated by malformed requests sent to affected NetScaler authentication endpoints.
In one case, the appliance recorded 5,937 AAA LOGIN_FAILED events during a period of about five hours. The User fields contained binary and nonprintable data instead of plausible usernames.
Huntress reconstructed the values and found leaked heap memory, including HTTP headers, certificate information, internal IP addresses and traffic metadata. This activity matched the memory-overread behavior associated with CVE-2025-5777.
- A high volume of malformed login requests reaches the NetScaler appliance.
- Each request may expose a small fragment of adjacent process memory.
- The attacker collects and searches the fragments for active session data.
- A valid session token allows the attacker to impersonate an authenticated user.
- The attacker enters the Citrix environment without completing a new login.
GreyNoise previously observed CitrixBleed 2 exploitation attempts beginning on June 23, 2025, nearly two weeks before public proof-of-concept details appeared on July 4.
Stolen sessions can bypass multi-factor authentication
Session theft makes the vulnerability especially dangerous because an attacker does not need the victimโs password or a new multi-factor authentication approval.
In one Huntress case, a legitimate employee authenticated with LDAP and a one-time password from a known IP address at 13:07 UTC. Twenty-one minutes later, an attacker used the same session from a different IP address.
Investigators found no successful authentication from the attackerโs address. The evidence indicated that the operator had stolen and replayed the employeeโs existing session token.
| Event | Observed activity |
|---|---|
| Legitimate login | An employee completed LDAP and MFA authentication from a recognized address |
| Session takeover | The same authenticated session appeared from an attacker-controlled address 21 minutes later |
| Attacker authentication | No successful login appeared for the attackerโs address |
| Likely method | The attacker replayed a session token exposed through the memory leak |
Multi-factor authentication still protects the original login process, but it cannot stop an attacker who has already obtained a valid authenticated session. The NetScaler gateway treats the stolen token as proof that authentication has taken place.
Attackers follow a repeatable seven-stage playbook
Huntress observed similar behavior across six unrelated organizations. The victims operated in different industries and used different managed service providers, but the attacker reused account names, commands, tools and infrastructure.
The security company assesses with high confidence that an initial access broker is weaponizing CitrixBleed 2 and providing access that can lead to ransomware. However, Huntress could not determine whether the same operator directly deployed DragonForce or transferred access to a ransomware affiliate.
The seven-stage ransomware report describes the following attack sequence:
- Exploit CVE-2025-5777 to leak NetScaler memory.
- Steal and replay a legitimate userโs authenticated session token.
- Enter the Windows environment through the Citrix gateway.
- Exploit a local privilege-escalation technique to gain SYSTEM access.
- Create rogue local administrator accounts.
- Install remote-management software and return through RDP.
- Perform reconnaissance, move through the network and deploy ransomware.
Some attacks stopped before the final stages because defenders isolated the affected systems. The most advanced incident reached DragonForce ransomware deployment and encrypted one host before responders contained it.
Privilege escalation gives attackers SYSTEM access
After entering the environment, the attackers used portable Windows privilege-escalation tools with names such as eng.exe, legal.exe, exsym.exe, as.exe and exp6.exe.
The tool created a registry symbolic link, triggered a Group Policy update and started the Windows Application Management service, known as AppMgmt. This process allowed it to obtain SYSTEM-level privileges.
The malware then created a local administrator account and removed some of the registry changes. Huntress repeatedly observed attacker-controlled accounts named ctxsvc, CtxAppVCOMService and test.
| Attack stage | Observed technique |
|---|---|
| Privilege escalation | Registry symbolic-link abuse combined with Group Policy and AppMgmt |
| Administrator access | Creation of rogue local administrator accounts |
| Persistence | ScreenConnect, Zoho Assist and NetBird remote-access tools |
| Interactive access | RDP sessions using the newly created administrator accounts |
| Credential access | Mimikatz and registry credential-dumping activity |
| Ransomware | DragonForce executable stored as 1.exe |
The attackers also used PsExec to open SYSTEM shells, ran reconnaissance commands and deployed Impacket tools against domain controllers. Microsoft Defender blocked some remote-execution and registry-dumping activity in one case.
Attackers install legitimate remote-access software
The operators installed ScreenConnect or Zoho Assist to maintain access after creating administrator accounts. These legitimate tools can blend into normal IT activity, especially in environments where remote support software is common.
Investigators also recovered attacker workstation names from Citrix printer-mapping events. Citrix sessions can automatically create client printer mappings that include the connecting computerโs hostname.
Huntress repeatedly observed the hostnames WIN-4E0AP4JTJR9 and WIN-VI960VQI4I6. Organizations should compare unusual printer-mapping events with Citrix session records and remote-access activity.
- Unexpected ScreenConnect installers named Us.msi or SC.msi
- A Zoho Assist installer named za.msi
- Password-protected archives named asas.zip, ex.zip or update.zip
- Connections to unfamiliar ScreenConnect or NetBird relay infrastructure
- RDP activity involving newly created administrator accounts
Security teams should not treat every listed account or filename as proof of compromise. Names such as test may exist legitimately, so responders must compare findings with account creation times, login activity and administrator records.
Patching does not invalidate stolen sessions
Installing a fixed NetScaler version stops new exploitation of CVE-2025-5777, but patching alone may not remove an attacker who already stole a valid session token.
Citrix advises customers to terminate active ICA and PCoIP sessions after upgrading. Administrators should also remove persistent authentication cookies so users must authenticate again.
The companyโs NetScaler security bulletin lists the fixed builds and includes commands for terminating sessions. Organizations must confirm that every node in a high-availability pair or cluster received the update.
- Upgrade affected NetScaler ADC and Gateway appliances to a fixed release.
- Terminate all active ICA and PCoIP sessions.
- Delete persistent authentication cookies.
- Confirm that every appliance and cluster node runs the corrected build.
- Review access logs for exploitation that occurred before patching.
Organizations using end-of-life NetScaler versions should replace them with supported releases. Unsupported appliances may remain exposed because Citrix no longer provides security fixes for those branches.
NetScaler logs can reveal exploitation attempts
Defenders should preserve NetScaler logs as soon as they suspect exploitation. Local logs rotate quickly and may erase the evidence needed to reconstruct malformed requests, memory leakage and session hijacking.
Huntress recommends forwarding NetScaler logs to a SIEM or another central logging system. Security teams should search for failed-login bursts containing binary or nonprintable characters in the User field.

They should also look for authenticated sessions that appear from unfamiliar IP addresses without a matching successful login. This pattern may indicate that an attacker replayed a stolen token.
- Large bursts of AAA LOGIN_FAILED events
- Empty login parameters in authentication requests
- Binary or nonprintable data appearing as usernames
- Sessions from new IP addresses without corresponding successful logins
- Diagnostic messages about unencrypted login requests or missing X.509 certificates
- Unexpected Citrix printer mappings revealing unfamiliar hostnames
The presence of a single diagnostic message does not confirm exploitation. Huntress said responders should correlate the messages with malformed login floods, leaked data and sessions that lack a corresponding authentication event.
CitrixBleed 2 has a history of active exploitation
GreyNoise detected targeting activity before researchers publicly released exploit details. The company observed malicious IP addresses sending requests to sensors designed to resemble vulnerable NetScaler appliances.
The activity began on June 23, 2025. GreyNoise published a tracking tag on July 7, and CISA later confirmed the exploitation activity before adding CVE-2025-5777 to its Known Exploited Vulnerabilities catalog.
The GreyNoise exploitation analysis found that the early requests targeted NetScaler-specific sensors rather than scanning every available internet service.
CISAโs Known Exploited Vulnerabilities catalog identifies flaws that attackers have used in real-world incidents. Federal civilian agencies must remediate listed vulnerabilities by their assigned deadlines.
Private organizations do not face the same federal mandate, but the catalog provides a strong signal that administrators should prioritize the vulnerability over flaws with no evidence of exploitation.

Organizations should use the CISA KEV catalog alongside vendor advisories, asset inventories and threat intelligence when setting patching priorities.
Indicators of compromise linked to the attacks
Huntress published account names, filenames, hashes, command lines and network infrastructure associated with the intrusion cluster. Defenders can use these indicators to support threat hunting, but they should also search for behavioral signs because attackers can easily change names and domains.
| Type | Indicator | Description |
|---|---|---|
| Account | ctxsvc | Local administrator account used by the attacker |
| Account | CtxAppVCOMService | Local administrator account used by the attacker |
| Account | test | Observed attacker account, but may also be legitimate |
| Hostname | WIN-4E0AP4JTJR9 | Attacker workstation name found in printer-mapping events |
| Hostname | WIN-VI960VQI4I6 | Attacker workstation name found in printer-mapping events |
| Privilege-escalation tools | eng.exe, legal.exe, exsym.exe, as.exe, exp6.exe | Names used for portable privilege-escalation files |
| ScreenConnect installers | Us.msi, SC.msi | Remote-management software installers |
| Zoho Assist installer | za.msi | Remote-support software installer |
| Archive files | asas.zip, ex.zip, *_update.zip | Password-protected archives downloaded from temp.sh |
| Ransomware | 1.exe | DragonForce ransomware executable |
| SHA-256 | c84739655ce1af0a0269138263d47567418f69e0f75e249f8e23bc21802209e2 | Privilege-escalation tool |
| SHA-256 | eb083365dc70d0294e8c4f55a2e78be0edb0f3497f2a06a70c9f474dafab48d8 | Privilege-escalation tool |
| SHA-256 | c4fcae3847946173bf0b3cedf5d97a9e3d18090023842f942ba544fa7fda180d | DragonForce ransomware |
| Domain | relay.dltsolutions[.]top | ScreenConnect relay |
| Domain | relay.eurofin[.]digital | ScreenConnect relay |
| Domain | vtps[.]us | ScreenConnect relay |
| Domain | opa[.]tlsd[.]shop | NetBird relay |
Organizations must combine patching with incident response
Any organization that exposed a vulnerable NetScaler gateway to the internet should treat the appliance as potentially compromised, especially when logs show unusual authentication failures or unexplained session activity.
Administrators should patch immediately, terminate existing sessions and preserve all available evidence. Endpoint teams should inspect connected Windows systems for rogue accounts, remote-access tools, privilege-escalation commands and ransomware artifacts.
The observed speed of the attacks leaves little room for delayed containment. Once an attacker hijacks a valid Citrix session, the operation can move from gateway access to SYSTEM privileges, persistent remote control and ransomware deployment within minutes.
FAQ
CitrixBleed 2 is the name given to CVE-2025-5777, a critical memory disclosure vulnerability affecting certain NetScaler ADC and NetScaler Gateway appliances. Attackers can exploit it before authentication and may recover active session tokens from leaked memory.
The vulnerability does not directly break multi-factor authentication. However, an attacker who steals a valid session token can reuse a session after the legitimate user has already completed password and MFA checks.
Huntress observed one intrusion in which an attacker gained access, completed exploitation and deployed DragonForce ransomware in less than an hour. Other attacks stopped earlier after defenders detected and isolated affected systems.
No. Patching prevents new exploitation, but previously stolen session tokens may remain valid. Administrators should terminate active sessions, remove persistent authentication cookies and investigate connected systems for signs of compromise.
Administrators should look for large bursts of failed logins, empty login parameters, binary or nonprintable username values, sessions from unfamiliar IP addresses and authenticated sessions that have no matching successful login event.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages