Key Takeaways

  • An initial access broker is actively abusing the CitrixBleed2 vulnerability to sell footholds into enterprise networks
  • DragonForce ransomware operators are using these purchased access points to conduct full compromise and encryption events
  • Researchers warn that session token theft and MFA bypass tied to CVE-2025-5777 are accelerating the ransomware economy

The growing overlap between initial access brokers and ransomware crews took another step forward as researchers outlined how a single broker has been aggressively exploiting the CitrixBleed2 vulnerability in Citrix NetScaler ADC and Gateway. Huntress documented the activity in new findings, noting that the most advanced observed cases involved deployment of DragonForce ransomware inside compromised environments.

CitrixBleed2, tracked as CVE-2025-5777, entered the public vulnerability conversation in mid-2025 when CISA placed it in the Known Exploited Vulnerabilities catalog. The flaw enables an out-of-bounds read condition that allows attackers to pull session tokens and bypass MFA on Gateway or AAA virtual server configurations. It is rated at CVSS 9.3.

These initial access brokers focus on gaining footholds through exposed services, VPN appliances, or remote access infrastructure, then selling that access to ransomware groups. Multiple industry analysts, including the team behind the ENISA Threat Landscape, have pointed out that remote service exploitation remains one of the most common ransomware precursors, and Citrix NetScaler appliances sit directly in that category.

The activity Huntress described fits that pattern. The broker has been conducting automated exploitation of CitrixBleed2 across enterprise networks, harvesting active session tokens and quietly validating which environments can be monetized. Some tokens lead to immediate credential replay, while others yield administrative access after minor privilege escalation steps. Once validated, these access points are sold to ransomware crews such as DragonForce and Anubis.

Telemetry referenced by DoublePulsar researchers tracks more than 120 active CitrixBleed2 victims tied to a single threat actor’s infrastructure. This volume demonstrates the speed at which a vulnerability can be turned into commodity access. It also mirrors what happened with the original Citrix Bleed vulnerability, CVE-2023-4966, which at least four threat groups exploited as a zero-day, according to background analysis from ReliaQuest.

Organizations already using SIEM or XDR tools have been watching for suspicious NetScaler authentication behaviors since CitrixBleed first circulated publicly. Splunk’s own guidance highlights patterns such as sudden surges in session token generation or unexpected authentication successes from geographies never before seen within a given tenant.

Many practitioners fall back on established frameworks that help prioritize risk. The NIST Cybersecurity Framework offers structured guidance for identifying, protecting, detecting, and responding to threats in remote access systems. Meanwhile, MITRE ATT&CK maps the exploitation activity directly to known TTPs, including token theft, exploitation for privilege escalation, and exfiltration over web services. With this mapping, defenders can translate a vulnerability like CitrixBleed2 into concrete defensive controls.

Segmentation of Gateway appliances from the broader internal network can slow down lateral movement if an attacker gains access to an administrator session. Enhanced session lifetimes, more aggressive log retention for authentication events, and proactive scanning for exposed NetScaler interfaces also help. Many MDR providers such as Huntress and ReliaQuest have been refining heuristic detection for suspicious NetScaler behavior because the exploitation technique tends to leave recognizable patterns.

Gartner’s security market researchers have suggested that the ransomware ecosystem increasingly treats access points like tradeable commodities. That insight aligns with Cybereason’s earlier observations citing Digital Shadows data that remote desktop access alone accounted for more than 50% of ransomware incidents. When a vulnerability like CitrixBleed2 emerges, it gives brokers a particularly efficient product to sell.

The rapid operationalization of CitrixBleed2 recalls earlier eras when VPN appliances were systematically targeted, but the current threat operates at a much larger scale. Automated scanners sweep the internet for vulnerable NetScaler instances, and within hours attackers may be inside with session token artifacts in hand. If a broker decides an environment looks profitable, the path from breach to ransomware deployment can be far shorter than many teams expect.

Enterprises that depend heavily on Citrix NetScaler infrastructure must continually evaluate their remote access strategy. Even though vendors will continue patching vulnerabilities, the incentive structure for brokers and ransomware groups remains highly profitable. With ENISA warning that ransomware remains Europe’s top cyber threat and industry guidance from MITRE and NIST emphasizing proactive detection, the CitrixBleed2 cycle serves as a reminder that remote access appliances demand constant attention.

Ransomware crews such as DragonForce simply accelerate what was already an entrenched business model. The initial access broker’s exploitation of CitrixBleed2 shows how quickly a single flaw can ripple across global networks. Monitoring, segmentation, and rapid patching can reduce risks, although none of those measures completely remove the appeal of these appliances to attackers.