Security researcher Kevin Beaumont, who first coined the term “CitrixBleed 2,” reported that attackers have been “carefully selecting victims, profiling NetScaler before attacking to make sure it is a real box”. A massive wave of exploitation targeting the critical CitrixBleed 2 vulnerability (CVE-2025-5777), with over 11.5 million attack attempts recorded since its disclosure in June. The attack data reveals a disturbing pattern of targeted exploitation, with financial services organizations bearing the brunt of malicious activity. According to Imperva’s threat intelligence, nearly 40% of all attack attempts have specifically targeted financial services infrastructure, representing approximately 4.6 million attacks against this critical sector. GreyNoise data shows 22 unique malicious IP addresses have been observed attempting exploitation, with activity originating from China, Russia, South Korea, and the United States. This early exploitation window allowed attackers to establish footholds in victim networks before organizations became aware of the threat. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. GreyNoise’s honeypot data confirms that active exploitation began on June 23, 2025, nearly two weeks before proof-of-concept exploits were publicly released on July 4. The exploitation techniques observed include data collection from user Citrix sessions and the installation of legitimate MSP administrative tools for persistence. One IP address associated with recent exploitation activity (64.176.50.109) has been previously linked to RansomHub ransomware operations by CISA. Despite mounting evidence of active exploitation, Citrix maintained until July 11 that there was “no evidence to suggest exploitation of CVE-2025-5777“. Furthermore, Citrix’s own Web Application Firewall product lacks detection capabilities for this vulnerability, despite the company’s claims that WAF solutions cannot effectively mitigate the threat. The remaining 60% of attacks have spread across other industries, indicating both targeted and opportunistic exploitation patterns. With nearly 4,700 NetScaler instances remaining unpatched as of July 17, according to The Shadowserver Foundation, organizations must immediately prioritize remediation efforts. The campaign has successfully compromised more than 100 organizations worldwide, with attackers demonstrating sophisticated victim profiling and persistence techniques that have largely evaded detection. Intelligence sources have confirmed that at least one ransomware group has been leveraging the vulnerability for initial access since June. Significantly, these attacks have “triggered no alerts in their security stack,” highlighting the stealthy nature of the compromise. Security experts have criticized Citrix’s handling of the vulnerability disclosure and remediation guidance. The company’s patching instructions fail to address session cookie clearance, a critical step that leaves organizations vulnerable to session hijacking even after applying patches. The company only updated its advisory after CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog with an unprecedented 24-hour patching mandate for federal agencies. I’m tracking 128 active CitrixBleed 2 victims in telemetry, today, from attacker infrastructure (one threat actor group). The vulnerability’s exploitation timeline demonstrates a concerning gap between initial attacks and public awareness. Beaumont disclosed that a healthcare organization fell victim to such an attack, though the victim requested anonymity due to ongoing remediation efforts.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 18 Jul 2025 11:45:14 +0000