Kevin Beaumontwe gettin' there!
Kevin BeaumontThis bit is still incomplete in the patching instructions btw - if it's a HA pair you need to additionally reset other session types or you're still vulnerable to session hijack after patching.
I'm still trying to get Citrix to update the instructions.
Kevin BeaumontThe Dutch Public Prosecution Office have shut down their Citrix Netscaler and removed all internet access, Dutch media speculating CitrixBleed 2 exploitation.
https://www.techzine.eu/news/security/133163/dutch-department-of-justice-offline-after-citrix-vulnerability/
Justice minister David van Weel told MPs in a briefing that it appears the weakness had been used by third parties to access the department systems.
The justice ministry said the department had applied Citrixβs recommended patches, but these failed to fully eliminate the flaw. https://www.dutchnews.nl/2025/07/prosecution-department-goes-offline-due-to-software-weakness/
Kevin BeaumontAgain to reiterate the point in the thread - Citrixβs patching instructions donβt include - for example - resetting AAA sessions when AAA cookies are stealable with the vulnerability. So weβre going to see orgs caught with Citrixβs pants down.
Kevin BeaumontHereβs the Dutch gov letter and my translation.
Kevin Beaumont
Kevin BeaumontUpdate on the situation at The Hague and the shutdown of the Dutch Public Prosecution Service internet access, NCSC Netherlands issued an update today saying all orgs should hunt for CitrixBleed 2 activity, citing my blog.
They also advise clearing all session types, not just the ones Citrix say in their security advisory.
https://advisories.ncsc.nl/advisory?id=NCSC-2025-0196
Kevin BeaumontUpdated #CitrixBleed2 scans https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
Fields - IP, SSL certification hostnames, Netscaler firmware, if vulnerable to CVE-2025-5777
I've had a few orgs contest that they're not vulnerable and the scan is wrong. I've assisted each org, and in each case they've been wrong - they'd patched the wrong Netscaler, the passive HA node etc.
Kevin BeaumontI've been working with @shadowserver@infosec.exchange btw, their scan results for #CitrixBleed2 now show far more vulnerable systems. Their scanning is independent of mine, logic is improving, more orgs will get notifications. I'm going to try getting victims for notification across too.
Kevin BeaumontI might move the Dutch Public Prosecution Service (OM) Citrix Netscaler incident out to a different thread, but the latest update an hour ago from local media is that they are still without internet and remote access, and they're working on several alternatives to continue criminal trials.
I expect we're going to see a wave of Netscaler incidents over the coming months, although how many will publicly disclose is another issue - the Dutch are culturally transparent.
https://nltimes.nl/2025/07/18/dutch-prosecutor-disconnects-internal-systems-internet-vulnerability
Kevin BeaumontThe Canadian government cyber centre are this weekend recommending all orgs review historic logs for #CitrixBleed2 compromise, and reset all user sessions https://www.cyber.gc.ca/en/alerts-advisories/vulnerabilities-impacting-citrix-netscaler-adc-netscaler-gateway-cve-2025-5349-cve-2025-5777-cve-2025-6543
Kevin BeaumontThe Dutch Public Prosecution Service (OM), which took their systems offline due to #CitrixBleed2 on Friday, are saying they will be offline for weeks. https://nos.nl/artikel/2575857 HT @moartn@tacobelllabs.net
Kevin BeaumontThereβs a bit more in situation at the OM on Netscaler here: https://www.volkskrant.nl/binnenland/openbaar-ministerie-mogelijk-nog-weken-afgesloten-van-internet-probeert-impact-op-rechtszaken-te-beperken~b6e19434/
The OM say they patched quickly (and my scan data backs this up - they patched around June 24th) however it appears somebody got in (or took a session cookie) before patching took place and now theyβre trying to contain the situation.
Kevin BeaumontThe NCSC are strongly advising orgs to follow the advice on my blog re #CitrixBleed2, in hindsight I probably shouldnβt have drawn the logo in MSPaint and titled a section βChina goes brrrrβ.
Kevin BeaumontI think this thread exposes something about the cybersecurity industry and org posture btw - it almost all runs on Windows and EDR telemetry, hence why thereβs little info on this from vendors (Netscaler is closed box appliance - theyβre flying blind) and why orgs arenβt seeing anything, they donβt know how without vendors.
I keep contacting orgs and they have no idea they are compromised or how to investigate.
#CitrixBleed2
Kevin BeaumontThe Dutch Public Prosecution Service #CitrixBleed2 incident rolls on - NRC report on an email from the Director of their IT service, where they say βIt is clear that itβs a massive and dramatic incidentβ.
https://www.nrc.nl/nieuws/2025/07/22/digitale-werkomgeving-om-inderdaad-gehackt-onderzoek-moet-uitwijzen-welke-informatie-is-gestolen-a4901019
Kevin BeaumontThe Dutch Public Prosecution Service Citrix Netscaler incident is rumbling on. They are working on service recovery.
https://www.databreachtoday.com/dutch-prosecutors-recover-from-suspected-russian-hack-a-29129
#CitrixBleed2
Kevin BeaumontI've updated my CitrixBleed2 scan results for the first time in two weeks (I've been on holiday).
https://raw.githubusercontent.com/GossiTheDog/scanning/refs/heads/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
2637 orgs still vuln