SHIELD: ACTIVE // NETWORK SECURE

2026-07-03 - Ransomware Threat: Anubis Ransomware Active Exploiting Citrix Bleed 2 CVE-2025-5777

Ransomware Threat: Anubis Ransomware Active Exploiting Citrix Bleed 2 CVE-2025-5777

Executive Summary

A critical vulnerability in Citrix gateway appliances is facing active exploitation by sophisticated ransomware syndicates. Security researchers at Arctic Wolf have reported that threat actors associated with the Anubis ransomware group are aggressively exploiting CVE-2025-5777, popularly known as "Citrix Bleed 2." This high-severity flaw affects Citrix NetScaler ADC and NetScaler Gateway, allowing unauthenticated attackers to bypass authentication and obtain initial access. Once inside, the threat actors deploy legitimate remote management tools to move laterally, culminating in widespread corporate network encryption and data extortion.

Deep-Dive Technical Analysis

CVE-2025-5777 is a critical buffer over-read vulnerability residing in the web-portal interface of Citrix NetScaler ADC and Gateway.

The active attack campaigns follow a highly coordinated tradecraft:

* Initial Access via Citrix Bleed 2: Unauthenticated attackers send a series of crafted HTTP requests to vulnerable Citrix gateway endpoints. This bypasses access controls and forces the appliance to leak active session tokens from its memory buffer. The attacker then hijacks these valid administrative session tokens, gaining direct access to the corporate network without requiring valid login credentials or triggering MFA.

* Abusing Legitimate RMM Tools: Rather than deploying custom backdoors immediately, the Anubis ransomware group employs a "Living off the Land" strategy. They download and install legitimate, commercial Remote Monitoring and Management (RMM) utilities (such as AnyDesk, ScreenConnect, or Splashtop) to establish persistent administrative access. This technique bypasses traditional endpoint security rules, as the installed software is widely recognized as legitimate administrative tooling.

* Lateral Movement and Credential Access: The threat actors conduct active, hands-on-keyboard procedures to scrape memory buffers for local credentials, dump Active Directory databases, and pivot laterally to high-value domain controllers and storage servers.

* Data Exfiltration and Encryption: Once the target infrastructure is fully mapped and sensitive corporate files are copied to external cloud servers, the attackers execute the Anubis ransomware payload, encrypting local files and demanding a payment to recover the data.

Industry Impact and Recommendations

Citrix NetScaler appliances sit at the edge of the corporate perimeter, making them high-priority targets for initial access brokers. A compromise of a Citrix gateway grants threat actors immediate, highly privileged access behind the firewall, bypassing all external security.

To defend your perimeter against Citrix Bleed 2 and associated ransomware attacks, we recommend enforcing the following immediate security measures:

1. Apply Citrix Security Updates Immediately: Ensure all Citrix NetScaler ADC and Gateway virtual and physical appliances are updated with the official, vendor-released security patches addressing CVE-2025-5777.

2. Terminate and Revoke Active Session Tokens: Following patching, force a termination of all active user and administrator sessions on the NetScaler appliance and rotate all administrative passwords to invalidate any potentially hijacked session tokens.

3. Audit and Restrict RMM Software: Implement strict endpoint application whitelisting. Monitor and block the execution of unapproved RMM tools (like AnyDesk or ScreenConnect) on enterprise endpoints and servers.

4. Monitor Gateway Access Logs: Regularly audit NetScaler access logs for anomalous, high-volume HTTP requests directed at authentication endpoints or sign-ins originating from unusual geographic locations.

References:

* The Hacker News

* Cyber Recaps

Category: Cyber Security Intelligence