Executive Summary
In July 2026, the Anubis ransomware group exploited the Citrix Bleed 2 vulnerability (CVE-2025-5777) to gain initial access to targeted systems. This critical flaw in Citrix NetScaler ADC and Gateway devices allows unauthenticated attackers to extract sensitive memory contents, including session tokens, enabling them to bypass multi-factor authentication and hijack user sessions. Anubis affiliates utilized legitimate Remote Management and Monitoring (RMM) tools such as ScreenConnect, Zoho Assist, and UltraVNC to maintain control over compromised systems, facilitating lateral movement and data encryption. (thehackernews.com)
The exploitation of CVE-2025-5777 underscores the persistent threat posed by ransomware groups leveraging known vulnerabilities and legitimate tools to evade detection. Organizations must prioritize timely patching of critical vulnerabilities and monitor for unauthorized use of RMM tools to mitigate such risks.
Why This Matters Now
The active exploitation of CVE-2025-5777 by ransomware groups like Anubis highlights the urgent need for organizations to patch known vulnerabilities promptly and monitor for misuse of legitimate tools to prevent unauthorized access and data breaches.
Attack Path Analysis
The Anubis ransomware group exploited the Citrix Bleed 2 vulnerability (CVE-2025-5777) to gain initial access by hijacking active VPN sessions and bypassing multi-factor authentication. They escalated privileges by leveraging stolen session tokens to access internal systems. Utilizing legitimate Remote Management and Monitoring (RMM) tools, they moved laterally across the network. Established command and control channels were set up using these RMM tools. Data was exfiltrated by encrypting and transmitting it through these channels. Finally, the attackers deployed ransomware to encrypt critical data, demanding a ransom for decryption.
Kill Chain Progression
Initial Compromise
Description
Exploited Citrix Bleed 2 vulnerability (CVE-2025-5777) to hijack active VPN sessions and bypass multi-factor authentication.
Related CVEs
CVE-2025-5777
CVSS 7.5A use-after-free vulnerability in Citrix NetScaler ADC and NetScaler Gateway allows unauthenticated remote attackers to extract sensitive information, such as session tokens, from memory, potentially leading to session hijacking and bypassing multi-factor authentication.
Affected Products:
Citrix NetScaler ADC – 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, 13.1-FIPS and NDcPP before 13.1-37.235-FIPS and NDcPP, 12.1-FIPS before 12.1-55.328-FIPS
Citrix NetScaler Gateway – 14.1 before 14.1-43.56, 13.1 before 13.1-58.32, 13.1-FIPS and NDcPP before 13.1-37.235-FIPS and NDcPP, 12.1-FIPS before 12.1-55.328-FIPS
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Use Alternate Authentication Material: Application Access Token
Valid Accounts: Cloud Accounts
Valid Accounts: Domain Accounts
Valid Accounts: Local Accounts
Valid Accounts: Default Accounts
Valid Accounts: SSH Keys
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Citrix Bleed 2 ransomware attacks threaten patient data through compromised remote access, requiring enhanced segmentation and HIPAA compliance measures.
Financial Services
Anubis ransomware exploiting Citrix vulnerabilities poses severe risks to financial data integrity, demanding strengthened egress controls and PCI compliance.
Government Administration
RMM tooling abuse and lateral movement capabilities in ransomware attacks create critical infrastructure risks requiring zero trust implementation.
Information Technology/IT
IT sectors face heightened exposure to Citrix Bleed 2 exploitation through remote management tools, necessitating enhanced threat detection capabilities.
Sources
- Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentialshttps://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.htmlVerified
- CISA warns hackers are actively exploiting critical 'Citrix Bleed 2' security flawhttps://techcrunch.com/2025/07/11/cisa-confirms-hackers-are-actively-exploiting-critical-citrix-bleed-2-bug/Verified
- Anubis ransomware exploits CitrixBleed 2 and RMM toolshttps://www.techzine.eu/news/security/142624/anubis-ransomware-exploits-citrixbleed-2-and-rmm-tools/Verified
- From CitrixBleed 2 to Cloudflared: The Tools and Techniques Behind Anubis Ransomware Attackshttps://arcticwolf.com/resources/blog/citrixbleed-2-to-cloudflared-the-tools-and-techniques-behind-anubis-ransomware-attacks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Aviatrix Zero Trust CNSF could have significantly constrained the Anubis ransomware group's activities by limiting lateral movement and controlling data exfiltration paths.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the Citrix Bleed 2 vulnerability may have been constrained, reducing the likelihood of unauthorized access.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges using stolen session tokens could have been limited, reducing unauthorized access to internal systems.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement using RMM tools may have been constrained, reducing the spread within the network.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels using RMM tools could have been limited, reducing external communication.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may have been constrained, reducing unauthorized data transmission.
The attacker's ability to encrypt critical data and demand ransom could have been limited, reducing the impact of the attack.
Impact at a Glance
Affected Business Functions
- Remote Access Services
- Network Security
- User Authentication
- Data Integrity
Estimated downtime: 14 days
Estimated loss: $500,000
Potential exposure of sensitive session tokens and authentication credentials, leading to unauthorized access to internal systems.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit access to critical systems.
- • Deploy East-West Traffic Security to monitor and control internal network traffic, detecting unauthorized movements.
- • Utilize Multicloud Visibility & Control to gain comprehensive insights into network activities and detect anomalies.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Regularly update and patch systems to mitigate known vulnerabilities like CVE-2025-5777.



