Hackers Can Exploit CitrixBleed 2 and Deploy Ransomware in Under an Hour


Hackers are exploiting the critical CitrixBleed 2 vulnerability to steal authenticated NetScaler sessions, enter Windows environments and deploy ransomware in less than an hour.

Huntress investigated six attacks against unrelated organizations between January and June 2026. The security company found a repeatable seven-stage attack chain that began with CVE-2025-5777 exploitation and ended with remote access, privilege escalation and, in the most advanced case, DragonForce ransomware.

In one incident detailed in the Huntress CitrixBleed 2 investigation, the attackers completed the exploitation process and deployed ransomware in under an hour. Rapid isolation limited encryption to a single host.

CitrixBleed 2 allows attackers to steal active sessions

CitrixBleed 2, tracked as CVE-2025-5777, is an out-of-bounds memory read vulnerability affecting certain NetScaler ADC and NetScaler Gateway appliances. It carries a critical CVSS score of 9.3.

The vulnerability affects appliances configured as a Gateway or AAA virtual server. An unauthenticated attacker can send specially crafted requests to a login endpoint and cause the appliance to return fragments of process memory.

Those fragments may contain valid session tokens belonging to users who have already completed password and multi-factor authentication checks. Citrix published affected versions and fixed releases in its CVE-2025-5777 security advisory.

Product branchVulnerable versionsFixed version
NetScaler ADC and Gateway 14.1Earlier than 14.1-43.5614.1-43.56 or later
NetScaler ADC and Gateway 13.1Earlier than 13.1-58.3213.1-58.32 or later
NetScaler ADC 13.1-FIPS and NDcPPEarlier than 13.1-37.23513.1-37.235 or later
NetScaler ADC 12.1-FIPSEarlier than 12.1-55.32812.1-55.328 or later

NetScaler ADC and Gateway versions 12.1 and 13.0 have reached end of life. Organizations still running those branches should move to a supported release rather than relying on an unavailable security update.

Malformed login requests can resemble password spraying

The initial CitrixBleed 2 traffic may look like a large password-spraying campaign. Huntress found thousands of failed login events generated by malformed requests sent to affected NetScaler authentication endpoints.

In one case, the appliance recorded 5,937 AAA LOGIN_FAILED events during a period of about five hours. The User fields contained binary and nonprintable data instead of plausible usernames.

Huntress reconstructed the values and found leaked heap memory, including HTTP headers, certificate information, internal IP addresses and traffic metadata. This activity matched the memory-overread behavior associated with CVE-2025-5777.

  • A high volume of malformed login requests reaches the NetScaler appliance.
  • Each request may expose a small fragment of adjacent process memory.
  • The attacker collects and searches the fragments for active session data.
  • A valid session token allows the attacker to impersonate an authenticated user.
  • The attacker enters the Citrix environment without completing a new login.

GreyNoise previously observed CitrixBleed 2 exploitation attempts beginning on June 23, 2025, nearly two weeks before public proof-of-concept details appeared on July 4.

Stolen sessions can bypass multi-factor authentication

Session theft makes the vulnerability especially dangerous because an attacker does not need the victimโ€™s password or a new multi-factor authentication approval.

In one Huntress case, a legitimate employee authenticated with LDAP and a one-time password from a known IP address at 13:07 UTC. Twenty-one minutes later, an attacker used the same session from a different IP address.

Investigators found no successful authentication from the attackerโ€™s address. The evidence indicated that the operator had stolen and replayed the employeeโ€™s existing session token.

EventObserved activity
Legitimate loginAn employee completed LDAP and MFA authentication from a recognized address
Session takeoverThe same authenticated session appeared from an attacker-controlled address 21 minutes later
Attacker authenticationNo successful login appeared for the attackerโ€™s address
Likely methodThe attacker replayed a session token exposed through the memory leak

Multi-factor authentication still protects the original login process, but it cannot stop an attacker who has already obtained a valid authenticated session. The NetScaler gateway treats the stolen token as proof that authentication has taken place.

Attackers follow a repeatable seven-stage playbook

Huntress observed similar behavior across six unrelated organizations. The victims operated in different industries and used different managed service providers, but the attacker reused account names, commands, tools and infrastructure.

The security company assesses with high confidence that an initial access broker is weaponizing CitrixBleed 2 and providing access that can lead to ransomware. However, Huntress could not determine whether the same operator directly deployed DragonForce or transferred access to a ransomware affiliate.

The seven-stage ransomware report describes the following attack sequence:

  1. Exploit CVE-2025-5777 to leak NetScaler memory.
  2. Steal and replay a legitimate userโ€™s authenticated session token.
  3. Enter the Windows environment through the Citrix gateway.
  4. Exploit a local privilege-escalation technique to gain SYSTEM access.
  5. Create rogue local administrator accounts.
  6. Install remote-management software and return through RDP.
  7. Perform reconnaissance, move through the network and deploy ransomware.

Some attacks stopped before the final stages because defenders isolated the affected systems. The most advanced incident reached DragonForce ransomware deployment and encrypted one host before responders contained it.

Privilege escalation gives attackers SYSTEM access

After entering the environment, the attackers used portable Windows privilege-escalation tools with names such as eng.exe, legal.exe, exsym.exe, as.exe and exp6.exe.

The tool created a registry symbolic link, triggered a Group Policy update and started the Windows Application Management service, known as AppMgmt. This process allowed it to obtain SYSTEM-level privileges.

The malware then created a local administrator account and removed some of the registry changes. Huntress repeatedly observed attacker-controlled accounts named ctxsvc, CtxAppVCOMService and test.

Attack stageObserved technique
Privilege escalationRegistry symbolic-link abuse combined with Group Policy and AppMgmt
Administrator accessCreation of rogue local administrator accounts
PersistenceScreenConnect, Zoho Assist and NetBird remote-access tools
Interactive accessRDP sessions using the newly created administrator accounts
Credential accessMimikatz and registry credential-dumping activity
RansomwareDragonForce executable stored as 1.exe

The attackers also used PsExec to open SYSTEM shells, ran reconnaissance commands and deployed Impacket tools against domain controllers. Microsoft Defender blocked some remote-execution and registry-dumping activity in one case.

Attackers install legitimate remote-access software

The operators installed ScreenConnect or Zoho Assist to maintain access after creating administrator accounts. These legitimate tools can blend into normal IT activity, especially in environments where remote support software is common.

Investigators also recovered attacker workstation names from Citrix printer-mapping events. Citrix sessions can automatically create client printer mappings that include the connecting computerโ€™s hostname.

Huntress repeatedly observed the hostnames WIN-4E0AP4JTJR9 and WIN-VI960VQI4I6. Organizations should compare unusual printer-mapping events with Citrix session records and remote-access activity.

  • Unexpected ScreenConnect installers named Us.msi or SC.msi
  • A Zoho Assist installer named za.msi
  • Password-protected archives named asas.zip, ex.zip or update.zip
  • Connections to unfamiliar ScreenConnect or NetBird relay infrastructure
  • RDP activity involving newly created administrator accounts

Security teams should not treat every listed account or filename as proof of compromise. Names such as test may exist legitimately, so responders must compare findings with account creation times, login activity and administrator records.

Patching does not invalidate stolen sessions

Installing a fixed NetScaler version stops new exploitation of CVE-2025-5777, but patching alone may not remove an attacker who already stole a valid session token.

Citrix advises customers to terminate active ICA and PCoIP sessions after upgrading. Administrators should also remove persistent authentication cookies so users must authenticate again.

The companyโ€™s NetScaler security bulletin lists the fixed builds and includes commands for terminating sessions. Organizations must confirm that every node in a high-availability pair or cluster received the update.

  1. Upgrade affected NetScaler ADC and Gateway appliances to a fixed release.
  2. Terminate all active ICA and PCoIP sessions.
  3. Delete persistent authentication cookies.
  4. Confirm that every appliance and cluster node runs the corrected build.
  5. Review access logs for exploitation that occurred before patching.

Organizations using end-of-life NetScaler versions should replace them with supported releases. Unsupported appliances may remain exposed because Citrix no longer provides security fixes for those branches.

NetScaler logs can reveal exploitation attempts

Defenders should preserve NetScaler logs as soon as they suspect exploitation. Local logs rotate quickly and may erase the evidence needed to reconstruct malformed requests, memory leakage and session hijacking.

Huntress recommends forwarding NetScaler logs to a SIEM or another central logging system. Security teams should search for failed-login bursts containing binary or nonprintable characters in the User field.

Predictability and clustered behavior often presents the smoking gun for initial access (Source – Huntress)

They should also look for authenticated sessions that appear from unfamiliar IP addresses without a matching successful login. This pattern may indicate that an attacker replayed a stolen token.

  • Large bursts of AAA LOGIN_FAILED events
  • Empty login parameters in authentication requests
  • Binary or nonprintable data appearing as usernames
  • Sessions from new IP addresses without corresponding successful logins
  • Diagnostic messages about unencrypted login requests or missing X.509 certificates
  • Unexpected Citrix printer mappings revealing unfamiliar hostnames

The presence of a single diagnostic message does not confirm exploitation. Huntress said responders should correlate the messages with malformed login floods, leaked data and sessions that lack a corresponding authentication event.

CitrixBleed 2 has a history of active exploitation

GreyNoise detected targeting activity before researchers publicly released exploit details. The company observed malicious IP addresses sending requests to sensors designed to resemble vulnerable NetScaler appliances.

The activity began on June 23, 2025. GreyNoise published a tracking tag on July 7, and CISA later confirmed the exploitation activity before adding CVE-2025-5777 to its Known Exploited Vulnerabilities catalog.

The GreyNoise exploitation analysis found that the early requests targeted NetScaler-specific sensors rather than scanning every available internet service.

CISAโ€™s Known Exploited Vulnerabilities catalog identifies flaws that attackers have used in real-world incidents. Federal civilian agencies must remediate listed vulnerabilities by their assigned deadlines.

Private organizations do not face the same federal mandate, but the catalog provides a strong signal that administrators should prioritize the vulnerability over flaws with no evidence of exploitation.

Citrix appliance ns.log entries (Source – Huntress)

Organizations should use the CISA KEV catalog alongside vendor advisories, asset inventories and threat intelligence when setting patching priorities.

Indicators of compromise linked to the attacks

Huntress published account names, filenames, hashes, command lines and network infrastructure associated with the intrusion cluster. Defenders can use these indicators to support threat hunting, but they should also search for behavioral signs because attackers can easily change names and domains.

TypeIndicatorDescription
AccountctxsvcLocal administrator account used by the attacker
AccountCtxAppVCOMServiceLocal administrator account used by the attacker
AccounttestObserved attacker account, but may also be legitimate
HostnameWIN-4E0AP4JTJR9Attacker workstation name found in printer-mapping events
HostnameWIN-VI960VQI4I6Attacker workstation name found in printer-mapping events
Privilege-escalation toolseng.exe, legal.exe, exsym.exe, as.exe, exp6.exeNames used for portable privilege-escalation files
ScreenConnect installersUs.msi, SC.msiRemote-management software installers
Zoho Assist installerza.msiRemote-support software installer
Archive filesasas.zip, ex.zip, *_update.zipPassword-protected archives downloaded from temp.sh
Ransomware1.exeDragonForce ransomware executable
SHA-256c84739655ce1af0a0269138263d47567418f69e0f75e249f8e23bc21802209e2Privilege-escalation tool
SHA-256eb083365dc70d0294e8c4f55a2e78be0edb0f3497f2a06a70c9f474dafab48d8Privilege-escalation tool
SHA-256c4fcae3847946173bf0b3cedf5d97a9e3d18090023842f942ba544fa7fda180dDragonForce ransomware
Domainrelay.dltsolutions[.]topScreenConnect relay
Domainrelay.eurofin[.]digitalScreenConnect relay
Domainvtps[.]usScreenConnect relay
Domainopa[.]tlsd[.]shopNetBird relay

Organizations must combine patching with incident response

Any organization that exposed a vulnerable NetScaler gateway to the internet should treat the appliance as potentially compromised, especially when logs show unusual authentication failures or unexplained session activity.

Administrators should patch immediately, terminate existing sessions and preserve all available evidence. Endpoint teams should inspect connected Windows systems for rogue accounts, remote-access tools, privilege-escalation commands and ransomware artifacts.

The observed speed of the attacks leaves little room for delayed containment. Once an attacker hijacks a valid Citrix session, the operation can move from gateway access to SYSTEM privileges, persistent remote control and ransomware deployment within minutes.

FAQ

What is CitrixBleed 2?

CitrixBleed 2 is the name given to CVE-2025-5777, a critical memory disclosure vulnerability affecting certain NetScaler ADC and NetScaler Gateway appliances. Attackers can exploit it before authentication and may recover active session tokens from leaked memory.

Can CitrixBleed 2 bypass multi-factor authentication?

The vulnerability does not directly break multi-factor authentication. However, an attacker who steals a valid session token can reuse a session after the legitimate user has already completed password and MFA checks.

How quickly can CitrixBleed 2 lead to ransomware?

Huntress observed one intrusion in which an attacker gained access, completed exploitation and deployed DragonForce ransomware in less than an hour. Other attacks stopped earlier after defenders detected and isolated affected systems.

Is patching NetScaler enough to remove the threat?

No. Patching prevents new exploitation, but previously stolen session tokens may remain valid. Administrators should terminate active sessions, remove persistent authentication cookies and investigate connected systems for signs of compromise.

What should administrators search for in NetScaler logs?

Administrators should look for large bursts of failed logins, empty login parameters, binary or nonprintable username values, sessions from unfamiliar IP addresses and authenticated sessions that have no matching successful login event.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages