// NEXUSVOID CYBER NEWS
<- ALL CYBER NEWS
Critical
Citrix, NetScaler, ransomware, CitrixBleed, actively exploited
Citrix Bleed 2 Exploited Within Hours of Disclosure - Now Feeding Ransomware Operations
A new CitrixBleed vulnerability in NetScaler appliances was exploited immediately after public disclosure using public PoC code, and Anubis ransomware affiliates are exploiting Citrix Bleed 2 (CVE-2025-5777) for initial access. If you run NetScaler, assume you are being scanned right now.
BRIEFING · Fast coverage. Original reporting credited below.
What happened: Two related developments in 24 hours. SecurityWeek reports that attackers began targeting Citrix NetScaler appliances with public proof-of-concept code immediately after a new CitrixBleed-class memory-disclosure vulnerability went public - retrieving arbitrary memory contents in HTTP responses. Separately, The Hacker News reports that affiliates of the Anubis ransomware operation are exploiting Citrix Bleed 2 (CVE-2025-5777) for initial access, then living off the land with legitimate remote-management tooling.
Why it matters: This is the disclosure-to-exploitation window collapsing to hours, in public view. The memory these bugs leak includes session tokens - which bypass MFA entirely. When a vulnerability class gets a reliable public PoC, ransomware adoption follows within days, and edge appliances like NetScaler are the front door.
What to do now:
Patch all NetScaler ADC and Gateway appliances to current firmware immediately
Kill all active sessions after patching - leaked session tokens survive the patch
Hunt for RMM tooling you did not deploy (a common post-Citrix-access pattern per the reporting)
Treat any unpatched, internet-facing NetScaler as potentially compromised, not merely vulnerable
Sources: SecurityWeek · The Hacker News