Kevin Beaumont
Kevin BeaumontI expect technical details of CVE-2025-5777 exploitation to become available next week.
Kevin BeaumontFurther suggestions CVE-2025-5777 details will release next week. https://xcancel.com/Horizon3Attack/status/1940879804221522279 via https://horizon3.ai
Kevin BeaumontIβve heard that Citrix are complaining me billing this CitrixBleed 2 is causing them reputational damage, and isnβt related in any way to CitrixBleed.
For the record - it was a dumb joke name to attraction attention for patching. I know it isnβt exactly the same cause.
But, ya know, it is a memory disclosure vuln which reveals sensitive info, and it does require ICA sessions be reset.. which only happened before with CitrixBleed.
Kevin BeaumontI expect technical details of CVE-2025-5777 exploitation to become available next week.
Kevin BeaumontEvidence if anybody cares
Kevin BeaumontIβve heard that Citrix are complaining me billing this CitrixBleed 2 is causing them reputational damage, and isnβt related in any way to CitrixBleed.
For the record - it was a dumb joke name to attraction attention for patching. I know it isnβt exactly the same cause.
But, ya know, it is a memory disclosure vuln which reveals sensitive info, and it does require ICA sessions be reset.. which only happened before with CitrixBleed.
Kevin BeaumontUltra spicy post claiming to be from UK retailer employee (M&S or Co-op) about their experience with TCS on their security incident. https://www.reddit.com/r/cybersecurity/comments/1ll1l6c/scattered_spider_tcs_blame_avoidance/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button
Kevin BeaumontMarks and Spencerβs CEO says half of their online ordering is still offline after their ransomware incident, they hope to get open in next 4 weeks.
They are also rebuilding internal systems and hope a majority of that will be done by August.
Lesson: mass contain early. M&S didnβt. Co-op did.
https://www.reuters.com/business/retail-consumer/ms-ceo-most-cyberattack-impact-will-be-behind-us-by-august-2025-07-01/
Kevin BeaumontIf you see this GitHub PoC for CVE-2025-5777 doing the rounds:
https://github.com/mingshenhk/CitrixBleed-2-CVE-2025-5777-PoC-
Itβs not for CVE-2025-5777. Itβs AI generated. The links in the README still have ChatGPT UTM sources.
The PoC itself is for a vuln addressed in 2023 - ChatGPT has hallucinated (made up) the cause of the vuln using an old BishopFox write up of the other vuln.
Kevin BeaumontEvidence if anybody cares
Kevin BeaumontCitrix blog on CVE-2025-5777 and some other ones https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/
Kevin BeaumontIf you see this GitHub PoC for CVE-2025-5777 doing the rounds:
https://github.com/mingshenhk/CitrixBleed-2-CVE-2025-5777-PoC-
Itβs not for CVE-2025-5777. Itβs AI generated. The links in the README still have ChatGPT UTM sources.
The PoC itself is for a vuln addressed in 2023 - ChatGPT has hallucinated (made up) the cause of the vuln using an old BishopFox write up of the other vuln.
Kevin BeaumontMy view on that is I donβt have the data to back it up (because Citrix havenβt provided any way to identify exploitation, including to customers), but if true and the threat actor is running those tools with that provider, itβs probably a ransomware group again.
Kevin BeaumontCitrix blog on CVE-2025-5777 and some other ones https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/
Kevin BeaumontLatest Marks and Spencer update is pretty crazy.
M&S haven't been able to supply sales data - so the British Retail Consortium (BRC) - used by the UK government as as economic indicator - basically made up figures for M&S and didn't tell people they had done this.
https://www.telegraph.co.uk/business/2025/06/24/retail-lobby-group-accused-of-ms-cyber-cover-up/
Kevin BeaumontUltra spicy post claiming to be from UK retailer employee (M&S or Co-op) about their experience with TCS on their security incident. https://www.reddit.com/r/cybersecurity/comments/1ll1l6c/scattered_spider_tcs_blame_avoidance/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button
Kevin BeaumontReliaQuest are reporting with medium confidence that CitrixBleed2, Electric Boogaloo, is being exploited in the wild HT @CyberLeech@cyberplace.social https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/
Kevin BeaumontMy view on that is I donβt have the data to back it up (because Citrix havenβt provided any way to identify exploitation, including to customers), but if true and the threat actor is running those tools with that provider, itβs probably a ransomware group again.
Kevin BeaumontNHS Digital's cyber alert database has been updated too. https://digital.nhs.uk/cyber-alerts/2025/cc-4670
I highly recommend bookmarking this site for the alerts, they're really good at filtering noise:
https://digital.nhs.uk/cyber-alerts
E.g. if you select 'high' category, there's only one a month on average
Kevin BeaumontReliaQuest are reporting with medium confidence that CitrixBleed2, Electric Boogaloo, is being exploited in the wild HT @CyberLeech@cyberplace.social https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/