CitrixBleed 2 Vulnerability: Threat Actors Increasingly Exploit Multi-Factor Authentication Weaknesses
Recent investigations have unveiled that malicious actors are actively leveraging the CitrixBleed 2 vulnerability, identified as CVE-2025-5777, to hijack ongoing NetScaler sessions that are nominally secured by multi-factor authentication (MFA). This alarming trend suggests that intruders are finding a way to penetrate enterprise environments, raising significant concerns for organizations.
Evidence from security experts indicates that the attacking methodology appears highly standardized, potentially suggesting the work of an initial access broker or a ransomware affiliate. This organized approach has resulted in a variety of victims from diverse sectors and organizations; nonetheless, attackers have consistently employed the very same tactics, which include a specific means of access, privilege escalation, and the creation of rogue administrator accounts using remote management tools.
The CVE-2025-5777 vulnerability is pertinent to NetScaler ADC and Gateway appliances configured as either Gateway or AAA virtual servers. The threat arises from a pre-authentication memory-overread flaw that can be activated through specifically crafted POST requests sent to NetScaler login endpoints, such as /p/u/doAuthentication.do. When attackers submit an empty login parameter at scale, they can provoke the appliance to reveal fragments of adjacent heap memory.
These memory fragments can potentially contain sensitive information, including active session tokens, HTTP headers, internal IP addresses, certificate data, and other session metadata. This creates an opportunity for attackers to replay a stolen session token from a different IP address, thereby circumventing MFA entirely since the original authentication has already been validated by the legitimate user.
A particular investigation by Huntress revealed that a user had legitimately authenticated through LDAP and MFA, yet only 21 minutes later, their session was accessed from an attacker-controlled IP address. This incident underscores the alarming efficiency of the attackers’ methods. Huntress Tactical Response has documented around six breaches within the first half of 2026 alone, all leading to a consistent attack pattern that culminated in the deployment of DragonForce ransomware.
During their investigations, security analysts noted the absence of any successful authentication events corresponding to the attacker’s activities, which further reinforced the compelling evidence that the session had been compromised and subsequently replayed.
Rather than relying on traditional password spraying techniques, the earliest indicators of this threat were more unorthodox: NetScaler logs were littered with thousands of AAA LOGIN_FAILED events featuring unprintable binary characters within the username fields. Huntress identified this as leaked heap memory rather than legitimate authentication failures.
To counter these alarming indicators, it is imperative for defenders to scrutinize high volumes of malformed login attempts, empty form parameters, and anomalous binary data located within ns.log. Equally crucial is the investigation of active sessions that lack any corresponding positive login event.
When the attackers successfully gained access to a Citrix-published desktop, they employed a portable local privilege-escalation tool, allowing them to acquire the NT AUTHORITY\SYSTEM level access. The use of ScreenConnect MSI installers, often set to connect to servers controlled by the attackers, was frequently noted in such intrusions. Other tools like Zoho Assist and earlier incidents involving NetBird and Atera were also recorded.
The attackers skillfully exploited Windows Registry symbolic links alongside the Application Management service, also known as AppMgmt. This tactic allowed them to redirect privileged Group Policy processing, launching malicious executables in a SYSTEM context. Subsequently, they established rogue local administrator accounts, often using Citrix-themed usernames, and installed legitimate remote access software for persistent control.
With access secured, these operators engaged in various operations, including interactive RDP access, reconnaissance activities, credential dumping, and utilizing Impacket for remote activities aimed at compromising domain infrastructure. In one notable advanced incident, attackers successfully executed a DragonForce ransomware payload, labeled 1.exe. Quick response efforts succeeded in limiting the encryption to just one host; however, this episode exemplifies the severe threats associated with this access chain.
Sophos has similarly tracked comparable activities under the designation STAC3725, documenting overlapping strategies that involve NetScaler exploitation coupled with ransomware distribution. The situation has raised alarms, suggesting that multiple criminal entities may be utilizing the CitrixBleed 2 vulnerability in their operations.
In response to these incidents, organizations are strongly encouraged to apply urgent security updates to any NetScaler appliances exposed to the internet. Moreover, it is advised to terminate all outstanding sessions post-patching and to preserve gateway logs prior to their rotation. Security teams should also perform diligent reviews of administrator accounts, interactions involving ScreenConnect or Zoho Assist, any suspicious starts of the AppMgmt service, registry alterations, and RDP sessions linked to unfamiliar client hostnames.
As organizations navigate the complex cybersecurity landscape, they must remain vigilant against such vulnerabilities and thoroughly investigate any indicators of compromise to thwart potential exploitations.

