>samit_hota
Back to advisories
SH-2026-031CriticalOpen

CitrixBleed 2 Exploitation Leads to DragonForce Ransomware Attacks

Samit Hota·
CVE ID
CVE-2025-5777
CVSS Score
N/A
Affected Products
Citrix NetScaler ADC and Gateway appliances vulnerable to CVE-2025-5777
#news#citrixbleed2

Overview

Threat hunters at Huntress have identified a highly consistent and active attack chain in the first half of 2026, where threat actors are exploiting the “CitrixBleed 2” vulnerability (CVE-2025-5777) in Citrix NetScaler appliances. This critical pre-authentication memory-overread vulnerability serves as the initial access vector, ultimately culminating in the deployment of DragonForce ransomware. The consistency of the attack methodology across multiple unrelated organizations suggests a productized runbook used by an Initial Access Broker (IAB) or a sophisticated threat group. This ongoing exploitation poses a severe threat to organizations relying on vulnerable Citrix NetScaler products.

Technical Details

CVE-2025-5777, dubbed “CitrixBleed 2” as a successor to the notorious CVE-2023-4966, is a pre-authentication memory-overread vulnerability affecting Citrix NetScaler ADC and Gateway when configured as a Gateway or AAA virtual server. The exploit involves sending malformed POST requests with an empty login form variable to the login endpoint. This action causes the appliance to serialize approximately 127 bytes of adjacent process memory into its response. By “spraying” these requests at volume, attackers can harvest heap memory fragments, critically including live session tokens. Huntress successfully reconstructed a session hijack in one incident where a legitimate user’s authenticated session, established via LDAP with MFA, was subsequently taken over by an attacker from a different IP address without any additional successful authentication. This bypasses multi-factor authentication (MFA), as the session is already authenticated. The threat actors then leverage tools like PsExec, Impacket-based tooling, and Mimikatz for lateral movement and credential access before deploying the DragonForce ransomware binary.

Real-World Impact

The active exploitation of CitrixBleed 2 leads directly to highly damaging ransomware incidents. Organizations that fail to patch this vulnerability are at risk of complete network compromise and data encryption by the DragonForce ransomware group. The ability to bypass MFA through session hijacking means that even organizations with strong authentication policies are vulnerable if their Citrix NetScaler appliances remain unpatched. The financial and operational impact of ransomware attacks can be devastating, including prolonged system downtime, significant costs for incident response and recovery, potential data exfiltration leading to double extortion, and severe reputational damage. The consistent nature of these attacks indicates a well-established and effective method for threat actors to gain persistent access to corporate networks.

Threat Landscape

The active exploitation of CitrixBleed 2 highlights the ongoing risk posed by critical vulnerabilities in widely used network infrastructure components. Initial Access Brokers (IABs) frequently leverage such flaws to gain footholds within organizations, which they then sell or hand off to ransomware groups like DragonForce. This specialization within the cybercriminal ecosystem accelerates the speed and efficiency of attacks. The effectiveness of this exploit in bypassing MFA mechanisms is particularly concerning, as MFA is often considered a cornerstone of modern cybersecurity defenses. Organizations must recognize that even well-implemented security controls can be circumvented by sophisticated exploits targeting underlying infrastructure vulnerabilities, making timely patching and proactive threat hunting indispensable.

Remediation

Organizations utilizing Citrix NetScaler ADC and Gateway appliances must immediately apply the latest security updates to patch CVE-2025-5777. This is the most critical step to prevent initial access. Given the observed session hijacking, administrators should also implement robust session management practices and consider re-authenticating all active sessions after patching. Furthermore, a thorough audit of their Citrix environments for any signs of compromise, including anomalous session activity, newly created rogue accounts, or the presence of known attacker tools (PsExec, Impacket, Mimikatz), is highly recommended. Implementing network segmentation, endpoint detection and response (EDR) solutions, and regular backups are crucial layers of defense to mitigate the impact of a potential ransomware attack, even if initial access is gained. Proactive threat hunting and continuous monitoring for indicators of compromise (IoCs) associated with DragonForce ransomware and IAB activities are also essential.

Found something similar in your stack?

Let's find out before it becomes an incident.

Book an advisory call