The Anubis Ransomware group is executing high-velocity exploitation of CVE-2025-5777, a critical vulnerability in Citrix NetScaler ADC/Gateway appliances, colloquially known as "Citrix Bleed 2." This vulnerability permits session token and memory disclosure, allowing attackers to bypass authentication and hijack active sessions. By targeting edge-facing infrastructure, Anubis circumvents traditional perimeter defenses to gain initial access, facilitating lateral movement and the subsequent deployment of ransomware payloads. This campaign marks a strategic shift toward leveraging N-day vulnerabilities in critical network appliances to conduct large-scale extortion and enterprise-wide encryption.
-
Vulnerability Mechanics: Citrix Bleed 2
- CVE-2025-5777 enables sensitive memory disclosure and session token leakage within Citrix NetScaler appliances.
- Attackers leverage leaked session data to perform authentication bypass and session hijacking.
- The vulnerability targets the core gateway/ADC layer, providing a direct gateway into the enterprise network.
-
Attack Vector: Deployment Lifecycle
- Initial access is achieved through exploitation of the public-facing Citrix infrastructure.
- Post-exploitation involves rapid lateral movement using stolen credentials and hijacked sessions.
- The final stage utilizes Anubis-specific deployment toolsets for widespread ransomware execution.
-
Threat Actor Profile: Anubis Ransomware
- Anubis focuses on high-impact, N-day vulnerabilities to facilitate rapid breach cycles.
- The group targets diverse industry verticals through large-scale, automated exploitation campaigns.
- Operations prioritize bypassing multi-factor authentication (MFA) by leveraging existing session tokens.
-
MITRE ATT&CK Mapping
- T1190: Exploitation of public-facing Citrix NetScaler applications.
- T1556: Modification of authentication processes via session hijacking.
- T1486: Execution of data encryption for impact and extortion.
-
Detection & Mitigation Strategies
- Prioritize immediate patching of all NetScaler, ADC, and Gateway appliances.
- Monitor for IoCs associated with unusual session token re-use or memory disclosure anomalies.
- Implement zero-trust principles to restrict lateral movement from edge devices into core network segments.