CISA have modified the CVE-2025-5777 entry to link to my blog π
Iβm hoping this gets more visibility as a bunch of us can see from Netflow ongoing threat actor Netscaler sessions to.. sensitive orgs.
CVE-2025-5777 aka CitrixBleed 2 has been added to CISA KEV now over evidence of active exploitation.
Citrix are still declining to comment about evidence of exploitation as of writing.
https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-adds-one-known-exploited-vulnerability-catalog
I believe Citrix may have made a mistake in the patching instructions for CitrixBleed2 aka CVE-2025-5777.
They say to do the instructions on the left, but they appear to have missed other session types (e.g. AAA) which have session cookies that can be stolen and replayed with CitrixBleed2. On the right is the CitrixBleed1 instructions.
The net impact is, if you patched but a threat actor already took system memory, they can still reuse prior sessions.
Tell anybody you know at Citrix.
CISA have modified the CVE-2025-5777 entry to link to my blog π Iβm hoping this gets more visibility as a bunch of us can see from Netflow ongoing threat actor Netscaler sessions to.. sensitive orgs.
If you ever doubted the link between Scattered Spider(tm) and LAPSUS$ - one of the people arrested today was a key part of the LAPSUS$ attacks a few years ago.
After almost 3 months, Marks and Spencer recruitment system came back online just now. First 4 jobs posted.
17 and two 19 year old teens picked up over Co-op and M&S hacks, and a 20 year old woman.
Pretend to be surprised.
https://www.bbc.com/news/articles/cwykgrv374eo
If you ever doubted the link between Scattered Spider(tm) and LAPSUS$ - one of the people arrested today was a key part of the LAPSUS$ attacks a few years ago.
Marks and Spencerβs CEO says half of their online ordering is still offline after their ransomware incident, they hope to get open in next 4 weeks.
They are also rebuilding internal systems and hope a majority of that will be done by August.
Lesson: mass contain early. M&S didnβt. Co-op did.
https://www.reuters.com/business/retail-consumer/ms-ceo-most-cyberattack-impact-will-be-behind-us-by-august-2025-07-01/
17 and two 19 year old teens picked up over Co-op and M&S hacks, and a 20 year old woman.
Pretend to be surprised.
https://www.bbc.com/news/articles/cwykgrv374eo
βCitrix declined to say if it's aware of active exploitationβ
It is aware. https://arstechnica.com/security/2025/07/critical-citrixbleed-2-vulnerability-has-been-under-active-exploit-for-weeks/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social
I believe Citrix may have made a mistake in the patching instructions for CitrixBleed2 aka CVE-2025-5777.
They say to do the instructions on the left, but they appear to have missed other session types (e.g. AAA) which have session cookies that can be stolen and replayed with CitrixBleed2. On the right is the CitrixBleed1 instructions.
The net impact is, if you patched but a threat actor already took system memory, they can still reuse prior sessions.
Tell anybody you know at Citrix.
Thereβs 7 more IPs on GreyNoise exploiting CitrixBleed 2 today, all marked as malicious. https://viz.greynoise.io/query/tags:%22CitrixBleed%202%20CVE-2025-5777%20Attempt%22%20last_seen:90d
βCitrix declined to say if it's aware of active exploitationβ
It is aware. https://arstechnica.com/security/2025/07/critical-citrixbleed-2-vulnerability-has-been-under-active-exploit-for-weeks/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social
I wrote up a thing on how to hunt for CitrixBleed 2 exploitation
https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71
Thereβs 7 more IPs on GreyNoise exploiting CitrixBleed 2 today, all marked as malicious. https://viz.greynoise.io/query/tags:%22CitrixBleed%202%20CVE-2025-5777%20Attempt%22%20last_seen:90d
More from @greynoise@infosec.exchange telemetry - they now push CVE-2025-5777 (CitrixBleed 2) exploitation to June 23rd. I can push it back further, blog incoming.
I wrote up a thing on how to hunt for CitrixBleed 2 exploitation
https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71
Exploitation IOCs for CVE-2025-5777 aka CitrixBleed 2, these are actively stealing sessions to bypass MFA for almost a month. Some are also doing Netscaler fingerprint scanning first.
64.176.50.109
139.162.47.194
38.154.237.100
38.180.148.215
102.129.235.108
121.237.80.241
45.135.232.2
HT @ntkramer@infosec.exchange and the folks at @greynoise@infosec.exchange
Look for lots of connections to your Netscaler devices over past 30 days. More IPs coming as also under mass exploitation. More IPs: https://viz.greynoise.io/tags/citrixbleed-2-cve-2025-5777-attempt?days=30
More from @greynoise@infosec.exchange telemetry - they now push CVE-2025-5777 (CitrixBleed 2) exploitation to June 23rd. I can push it back further, blog incoming.
Kevin Beaumont