If you ask Citrix support for IOCs for CVE-2025-5777 and they send you a script to run that looks for .php files - theyβve sent you an unrelated script, which has nothing to do with session hijacking or memory overread.
Updated CitrixBleed 2 scan results: https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
It's down from 24% unpatched to 17% unpatched
The results are partial still, the actual numbers still vuln will be higher.
Set up lab of Netscalers just now & owned them.
Two learnings:
1) the default logging isnβt enough to know if youβve been exploited. So if youβre wondering where the victims are, they donβt know theyβre victims as checks will come back clean unless they increased logging before. FW logs w/ IOCs fall back option.
2) the Citrix instructions post patch to clear sessions donβt include the correct session types - ICA will just reconnect as you (threat actor) still have the valid NSC_AAAC cookie.
If you ask Citrix support for IOCs for CVE-2025-5777 and they send you a script to run that looks for .php files - theyβve sent you an unrelated script, which has nothing to do with session hijacking or memory overread.
CISA is giving all civilian agencies 1 day to remediate CitrixBleed 2. It is encouraging all other organisations in the US to do this too.
https://therecord.media/cisa-orders-agencies-patch-citrix-bleed-2
Set up lab of Netscalers just now & owned them.
Two learnings:
1) the default logging isnβt enough to know if youβve been exploited. So if youβre wondering where the victims are, they donβt know theyβre victims as checks will come back clean unless they increased logging before. FW logs w/ IOCs fall back option.
2) the Citrix instructions post patch to clear sessions donβt include the correct session types - ICA will just reconnect as you (threat actor) still have the valid NSC_AAAC cookie.
Updated CitrixBleed2 scan results of vuln/not vuln
https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
CISA is giving all civilian agencies 1 day to remediate CitrixBleed 2. It is encouraging all other organisations in the US to do this too.
https://therecord.media/cisa-orders-agencies-patch-citrix-bleed-2
Some CitrixBleed2 IOCs; this is a cluster of what appears to be China going brrr, going on for weeks.
38.154.237.100
38.54.59.96
#threatintel
Updated CitrixBleed2 scan results of vuln/not vuln
https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
Some CitrixBleed2 IOCs; this is a cluster of what appears to be China going brrr, going on for weeks.
38.154.237.100
38.54.59.96
#threatintel
This is how Citrix are styling Citrix Bleed 2 btw. In the blog thereβs no technical details or detection details or acknowledgement of exploitation. They also directly blame NIST for their CVE description.
From Netflow I can see active victims - including systems owned by the US federal government - so strap in to see where this goes.
https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/
This is how Citrix are styling Citrix Bleed 2 btw. In the blog thereβs no technical details or detection details or acknowledgement of exploitation. They also directly blame NIST for their CVE description.
From Netflow I can see active victims - including systems owned by the US federal government - so strap in to see where this goes.
CVE-2025-5777 aka CitrixBleed 2 has been added to CISA KEV now over evidence of active exploitation.
Citrix are still declining to comment about evidence of exploitation as of writing.
https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-adds-one-known-exploited-vulnerability-catalog
https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/
After almost 3 months, Marks and Spencer recruitment system came back online just now. First 4 jobs posted.
. @briankrebs@infosec.exchange has broken the story that the key member (and teenager) of LAPSUS$ runs Scattered Spider
https://krebsonsecurity.com/2025/07/uk-charges-four-in-scattered-spider-ransom-group/
Kevin Beaumont