← Back to Daily Briefing

The Anubis Ransomware group is executing high-velocity exploitation of CVE-2025-5777, a critical vulnerability in Citrix NetScaler ADC/Gateway appliances, colloquially known as "Citrix Bleed 2." This vulnerability permits session token and memory disclosure, allowing attackers to bypass authentication and hijack active sessions. By targeting edge-facing infrastructure, Anubis circumvents traditional perimeter defenses to gain initial access, facilitating lateral movement and the subsequent deployment of ransomware payloads. This campaign marks a strategic shift toward leveraging N-day vulnerabilities in critical network appliances to conduct large-scale extortion and enterprise-wide encryption.

  • Vulnerability Mechanics: Citrix Bleed 2

    • CVE-2025-5777 enables sensitive memory disclosure and session token leakage within Citrix NetScaler appliances.
    • Attackers leverage leaked session data to perform authentication bypass and session hijacking.
    • The vulnerability targets the core gateway/ADC layer, providing a direct gateway into the enterprise network.
  • Attack Vector: Deployment Lifecycle

    • Initial access is achieved through exploitation of the public-facing Citrix infrastructure.
    • Post-exploitation involves rapid lateral movement using stolen credentials and hijacked sessions.
    • The final stage utilizes Anubis-specific deployment toolsets for widespread ransomware execution.
  • Threat Actor Profile: Anubis Ransomware

    • Anubis focuses on high-impact, N-day vulnerabilities to facilitate rapid breach cycles.
    • The group targets diverse industry verticals through large-scale, automated exploitation campaigns.
    • Operations prioritize bypassing multi-factor authentication (MFA) by leveraging existing session tokens.
  • MITRE ATT&CK Mapping

    • T1190: Exploitation of public-facing Citrix NetScaler applications.
    • T1556: Modification of authentication processes via session hijacking.
    • T1486: Execution of data encryption for impact and extortion.
  • Detection & Mitigation Strategies

    • Prioritize immediate patching of all NetScaler, ADC, and Gateway appliances.
    • Monitor for IoCs associated with unusual session token re-use or memory disclosure anomalies.
    • Implement zero-trust principles to restrict lateral movement from edge devices into core network segments.

LINK COPIED TO CLIPBOARD