Hackers Launch 11.5 Million Attacks on CitrixBleed 2-Compromising Over 100 Organizations

A massive wave of exploitation targeting the critical CitrixBleed 2 vulnerability (CVE-2025-5777), with over 11.5 million attack attempts recorded since its disclosure in June.

The campaign has successfully compromised more than 100 organizations worldwide, with attackers demonstrating sophisticated victim profiling and persistence techniques that have largely evaded detection.

Financial Services Industry Under Siege

The attack data reveals a disturbing pattern of targeted exploitation, with financial services organizations bearing the brunt of malicious activity.

According to Imperva’s threat intelligence, nearly 40% of all attack attempts have specifically targeted financial services infrastructure, representing approximately 4.6 million attacks against this critical sector.

The remaining 60% of attacks have spread across other industries, indicating both targeted and opportunistic exploitation patterns.

Security researcher Kevin Beaumont, who first coined the term “CitrixBleed 2,” reported that attackers have been “carefully selecting victims, profiling NetScaler before attacking to make sure it is a real box”.

This methodical approach has enabled threat actors to avoid honeypots and focus their efforts on legitimate enterprise infrastructure.

The vulnerability’s exploitation timeline demonstrates a concerning gap between initial attacks and public awareness.

GreyNoise’s honeypot data confirms that active exploitation began on June 23, 2025, nearly two weeks before proof-of-concept exploits were publicly released on July 4.

This early exploitation window allowed attackers to establish footholds in victim networks before organizations became aware of the threat.

Despite mounting evidence of active exploitation, Citrix maintained until July 11 that there was “no evidence to suggest exploitation of CVE-2025-5777“.

The company only updated its advisory after CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog with an unprecedented 24-hour patching mandate for federal agencies.

Ransomware Groups Exploit Healthcare Targets

Intelligence sources have confirmed that at least one ransomware group has been leveraging the vulnerability for initial access since June.

Beaumont disclosed that a healthcare organization fell victim to such an attack, though the victim requested anonymity due to ongoing remediation efforts.

One IP address associated with recent exploitation activity (64.176.50.109) has been previously linked to RansomHub ransomware operations by CISA.

The exploitation techniques observed include data collection from user Citrix sessions and the installation of legitimate MSP administrative tools for persistence. Significantly, these attacks have “triggered no alerts in their security stack,” highlighting the stealthy nature of the compromise.

Security experts have criticized Citrix’s handling of the vulnerability disclosure and remediation guidance.

The company’s patching instructions fail to address session cookie clearance, a critical step that leaves organizations vulnerable to session hijacking even after applying patches. This oversight mirrors similar issues identified during the original CitrixBleed vulnerability in 2023.

Furthermore, Citrix’s own Web Application Firewall product lacks detection capabilities for this vulnerability, despite the company’s claims that WAF solutions cannot effectively mitigate the threat.

This contradicts statements from other major security vendors, including Akamai and Imperva, who have successfully implemented detection mechanisms.

Researchers have identified several IP addresses associated with active exploitation campaigns, including 139.162.47.194, 38.180.148.215, 102.129.235.108, 121.237.80.241, and 45.135.232.2.

GreyNoise data shows 22 unique malicious IP addresses have been observed attempting exploitation, with activity originating from China, Russia, South Korea, and the United States.

With nearly 4,700 NetScaler instances remaining unpatched as of July 17, according to The Shadowserver Foundation, organizations must immediately prioritize remediation efforts.

The vulnerability’s pre-authentication nature and ability to bypass multi-factor authentication make it particularly dangerous for enterprise environments relying on NetScaler appliances for secure remote access.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now