Executive Summary
Between January 28 and February 2, 2026, a coordinated reconnaissance campaign targeted Citrix NetScaler infrastructure, utilizing over 63,000 distinct IP addresses to conduct more than 111,000 scanning sessions. Approximately 64% of this traffic originated from residential proxies, allowing attackers to masquerade as legitimate users and evade traditional security measures. The primary focus was on identifying exposed Citrix login panels and enumerating product versions, indicating a systematic effort to map vulnerable systems for potential exploitation.
This incident underscores a growing trend where attackers leverage residential proxies to conduct large-scale reconnaissance, complicating detection efforts. The specific targeting of Citrix NetScaler devices suggests a heightened interest in exploiting known vulnerabilities within these systems, emphasizing the need for organizations to implement robust monitoring and timely patching strategies to mitigate such threats.
Why This Matters Now
The use of residential proxies in reconnaissance campaigns represents an evolution in attacker tactics, making malicious activities harder to detect and block. Organizations must enhance their security posture by monitoring for unusual access patterns and ensuring that all systems, especially those exposed to the internet, are promptly updated to address known vulnerabilities.
Attack Path Analysis
Attackers initiated a reconnaissance campaign targeting Citrix NetScaler devices, utilizing thousands of residential proxies to identify exposed login panels and enumerate product versions. Exploiting the CVE-2025-5777 vulnerability, they gained unauthorized access by hijacking active VPN sessions and bypassing multi-factor authentication. With valid session tokens, attackers escalated privileges, accessing internal systems without credentials. They moved laterally within the network, deploying reconnaissance tools to map internal networks and, in some cases, launching ransomware payloads. Establishing command and control channels, they maintained persistent access to compromised systems. Finally, they exfiltrated sensitive data and deployed ransomware, causing significant operational disruption.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited the CVE-2025-5777 vulnerability in Citrix NetScaler devices to hijack active VPN sessions and bypass multi-factor authentication.
Related CVEs
CVE-2025-7775
CVSS 9.8A memory overflow vulnerability in Citrix NetScaler ADC and Gateway allows unauthenticated remote code execution or denial of service.
Affected Products:
Citrix NetScaler ADC – 14.1 before 14.1-47.48, 13.1 before 13.1-59.22, 13.1-FIPS before 13.1-37.241, 12.1-FIPS before 12.1-55.330
Citrix NetScaler Gateway – 14.1 before 14.1-47.48, 13.1 before 13.1-59.22, 13.1-FIPS before 13.1-37.241, 12.1-FIPS before 12.1-55.330
Exploit Status:
exploited in the wildCVE-2025-5777
CVSS 7.5An insufficient input validation vulnerability in Citrix NetScaler Gateway allows unauthenticated attackers to leak sensitive memory data, including session tokens and passwords.
Affected Products:
Citrix NetScaler Gateway – 14.1 before 14.1-43.56, 13.1 before 13.1-58.32
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Active Scanning
Proxy
Acquire Infrastructure
Hide Infrastructure
Gather Victim Network Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Change Control Processes
Control ID: 6.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Network and Environment Segmentation
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Citrix NetScaler reconnaissance threatens secure remote access to critical financial systems, potentially exposing customer data and payment processing infrastructure to exploitation.
Health Care / Life Sciences
Healthcare organizations using Citrix Gateways face HIPAA compliance violations and patient data exposure risks from coordinated scanning campaigns targeting authentication interfaces.
Government Administration
Government networks relying on Citrix infrastructure are vulnerable to state-sponsored reconnaissance activities, compromising secure communications and classified system access controls.
Information Technology/IT
IT service providers managing Citrix deployments across multiple clients face amplified risk from residential proxy-based reconnaissance targeting version enumeration and authentication panels.
Sources
- Wave of Citrix NetScaler scans use thousands of residential proxieshttps://www.bleepingcomputer.com/news/security/wave-of-citrix-netscaler-scans-use-thousands-of-residential-proxies/Verified
- NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2025-5349 and CVE-2025-5777https://support.citrix.com/article/CTX693420Verified
- Citrix Warns of Active Exploitation: CVE-2025-7775 in NetScaler ADC/Gatewayhttps://threatprotect.qualys.com/2025/08/26/citrix-warns-of-active-exploitation-cve-2025-7775-in-netscaler-adc-gateway/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in network devices may have been constrained, reducing unauthorized access to internal systems.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been constrained, limiting unauthorized access to sensitive systems.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network may have been constrained, reducing the spread of malicious activities.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels may have been constrained, reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may have been constrained, reducing data loss.
The attacker's ability to deploy ransomware may have been constrained, reducing operational disruption.
Impact at a Glance
Affected Business Functions
- Remote Access Services
- Authentication Services
- Network Security Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive memory data, including session tokens and passwords.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement within the network.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts targeting known vulnerabilities like CVE-2025-5777.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly update and patch systems to mitigate known vulnerabilities and reduce the attack surface.
