// NEXUSVOID CYBER NEWS

<- ALL CYBER NEWS

Critical

Citrix, NetScaler, ransomware, CitrixBleed, actively exploited

Citrix Bleed 2 Exploited Within Hours of Disclosure - Now Feeding Ransomware Operations

A new CitrixBleed vulnerability in NetScaler appliances was exploited immediately after public disclosure using public PoC code, and Anubis ransomware affiliates are exploiting Citrix Bleed 2 (CVE-2025-5777) for initial access. If you run NetScaler, assume you are being scanned right now.

BRIEFING · Fast coverage. Original reporting credited below.

What happened: Two related developments in 24 hours. SecurityWeek reports that attackers began targeting Citrix NetScaler appliances with public proof-of-concept code immediately after a new CitrixBleed-class memory-disclosure vulnerability went public - retrieving arbitrary memory contents in HTTP responses. Separately, The Hacker News reports that affiliates of the Anubis ransomware operation are exploiting Citrix Bleed 2 (CVE-2025-5777) for initial access, then living off the land with legitimate remote-management tooling.

Why it matters: This is the disclosure-to-exploitation window collapsing to hours, in public view. The memory these bugs leak includes session tokens - which bypass MFA entirely. When a vulnerability class gets a reliable public PoC, ransomware adoption follows within days, and edge appliances like NetScaler are the front door.

What to do now:

  • Patch all NetScaler ADC and Gateway appliances to current firmware immediately

  • Kill all active sessions after patching - leaked session tokens survive the patch

  • Hunt for RMM tooling you did not deploy (a common post-Citrix-access pattern per the reporting)

  • Treat any unpatched, internet-facing NetScaler as potentially compromised, not merely vulnerable

Sources: SecurityWeek · The Hacker News

Liked this briefing? Share it:

More briefings

Related posts appear on the live page
Get the briefings first
Breaking security news, verified fast, with the one fact the headlines skip. No spam - unsubscribe anytime.