CitrixBleed 2 Under Active Attack: Hackers Bypass MFA, Hijack Sessions, and Deploy Ransomware + Video

Listen to this Post

Featured ImageIntroduction: A Dangerous New Wave of Citrix Attacks

Cybercriminals continue to evolve faster than many organizations can defend themselves. The latest campaigns targeting Citrix NetScaler appliances demonstrate just how dangerous modern session hijacking has become. Instead of stealing passwords or cracking multi-factor authentication (MFA), attackers are now stealing authenticated sessions themselves, allowing them to walk directly into enterprise networks as legitimate users.

Security researchers have linked multiple real-world intrusions to CVE-2025-5777, widely known as CitrixBleed 2, a vulnerability capable of leaking sensitive memory from vulnerable Citrix NetScaler devices. Once attackers recover active session tokens, they can bypass MFA entirely, escalate privileges, establish persistence, and in some cases deploy ransomware. The attacks observed across several industries prove that this is no longer a theoretical security issue—it is an active and repeatable attack campaign targeting exposed enterprise infrastructure.

Attack Campaign Overview

Between January and June 2026, incident responders investigated at least six confirmed compromises affecting unrelated organizations operating vulnerable Citrix NetScaler environments. Although each victim belonged to different industries, the attack methodology remained remarkably consistent.

Every intrusion began by targeting internet-facing Citrix NetScaler Gateway systems. From there, attackers hijacked legitimate authenticated sessions before expanding their access through privilege escalation, creation of unauthorized administrator accounts, deployment of remote administration utilities, and finally ransomware execution in at least one confirmed incident involving the DragonForce ransomware family.

Investigators believe these operations are being conducted either by an experienced Initial Access Broker or ransomware affiliates using a standardized attack playbook designed for rapid compromise.

Understanding CitrixBleed 2

CitrixBleed 2, officially tracked as CVE-2025-5777, is a pre-authentication memory-overread vulnerability affecting Citrix NetScaler ADC and Gateway appliances configured as Gateway or AAA virtual servers.

Unlike traditional authentication bypass vulnerabilities, this flaw allows attackers to retrieve fragments of appliance memory without first logging into the system.

The exploit works by sending specially crafted POST requests to authentication endpoints such as:

/p/u/doAuthentication.do

By submitting malformed requests containing an empty login parameter, the appliance unintentionally returns nearby memory contents.

Each response only leaks a small portion of memory, but attackers automate thousands of requests over several hours. Eventually those leaked fragments contain valuable information including authenticated session tokens.

How Attackers Bypass Multi-Factor Authentication

One of the most alarming aspects of CitrixBleed 2 is that attackers never actually defeat MFA.

Instead, they simply steal session tokens that were already authenticated by legitimate users.

Once a valid session token is extracted from appliance memory, attackers replay it against the Citrix Gateway.

Because the session has already passed MFA verification, the appliance treats the attacker as the legitimate user.

During one investigation, analysts observed a legitimate employee successfully logging in through LDAP authentication and completing MFA from their normal IP address.

Only twenty-one minutes later, the exact same authenticated session appeared active from an attacker-controlled IP address—even though no successful login occurred from that malicious location.

This strongly indicates session token theft rather than credential compromise.

Evidence Found During Investigations

Researchers uncovered significant forensic evidence supporting exploitation of CitrixBleed 2.

One compromised environment recorded approximately 5,937 AAA LOGIN_FAILED events originating from attacker-controlled infrastructure within roughly five hours.

Unlike ordinary failed login attempts, many of these events contained unreadable binary characters.

Further investigation revealed those binary values were actually fragments of leaked NetScaler memory.

Additional leaked information included:

Internal IP addresses

HTTP request headers

Citrix proxy metadata

X.509 certificate information

Appliance memory structures

Authentication-related data

Although investigators were unable to recover a complete session cookie directly from logs, the attack timeline strongly supports successful token theft.

Post-Compromise Activities

Once attackers successfully hijacked an authenticated Citrix session, they behaved like legitimate users inside the environment.

Rather than immediately deploying malware, they carefully expanded their access.

The attackers commonly performed the following actions:

Privilege escalation to NT AUTHORITYSYSTEM

Creation of unauthorized administrator accounts

Installation of remote management utilities

Establishment of long-term persistence

Lateral movement inside corporate networks

Preparation for ransomware deployment

The privilege escalation stage frequently relied on unsigned portable executables disguised with innocent filenames such as:

eng.exe

legal.exe

as.exe

exsym.exe

These tools were often distributed through password-protected archives downloaded from temporary file-sharing services.

Investigators even recovered one archive password used repeatedly by attackers: loko123.

Known Indicators of Compromise

Researchers identified multiple malicious administrator accounts repeatedly created during these attacks.

Known indicators include:

ctxsvc

CtxAppVCOMService

Organizations discovering these accounts should immediately investigate for possible compromise.

Security teams are also encouraged to inspect NetScaler authentication logs for abnormal LOGIN_FAILED events containing binary or unreadable data, unusual authenticated sessions originating from unfamiliar IP addresses, and unexpected administrator account creation.

Deep Analysis

Command 1: Why CitrixBleed 2 Is More Dangerous Than Traditional Credential Theft

Unlike password-stealing malware, this vulnerability attacks the authentication process itself. Organizations often believe MFA provides complete protection, but session hijacking demonstrates that authentication is only secure until the session token is stolen. Once a valid token exists, attackers no longer need passwords, phishing campaigns, or MFA codes.

Command 2: Why Initial Access Brokers Love This Vulnerability

Initial Access Brokers specialize in obtaining corporate access and selling it to ransomware groups. CitrixBleed 2 provides exactly the type of scalable entry point they seek. Instead of compromising endpoints individually, they can harvest enterprise access directly from exposed gateways and monetize it rapidly.

Command 3: The Importance of Internet-Facing Infrastructure

Every confirmed intrusion started from publicly exposed Citrix Gateway systems. This reinforces a long-standing cybersecurity principle: internet-facing infrastructure is the highest-risk attack surface. Any critical remote access service should receive security patches immediately after release.

Command 4: Why Session Security Needs More Attention

Many organizations focus heavily on password security while overlooking session management. Long-lived authentication tokens significantly increase risk because stolen sessions remain valid even after attackers obtain them. Shorter session lifetimes, continuous authentication, and anomaly detection can reduce this exposure.

Command 5: Ransomware Operators Are Becoming More Patient

Rather than encrypting systems immediately, modern ransomware groups increasingly spend days or weeks performing reconnaissance, privilege escalation, persistence, and data collection. The observed activity in these attacks follows that exact operational model.

Command 6: Memory Disclosure Vulnerabilities Are Underestimated

Although memory disclosure bugs may initially appear less severe than remote code execution vulnerabilities, they often expose authentication secrets, encryption material, certificates, and session identifiers. As demonstrated here, information leakage alone can be enough to compromise entire enterprise environments.

What Undercode Say:

The CitrixBleed 2 campaign highlights a growing shift in attacker strategy—from stealing identities to stealing trusted sessions. This evolution changes how organizations should think about authentication security.

MFA remains one of the strongest security controls available, but it is not designed to defend against stolen session tokens. Once authentication is complete, the session itself becomes a valuable target.

The consistency across multiple incidents suggests that attackers have refined their workflow into an automated operation. This is no longer opportunistic hacking; it is an industrialized process that can be repeated against vulnerable organizations worldwide.

Another important observation is the role of Initial Access Brokers. These actors rarely deploy ransomware themselves. Instead, they specialize in gaining entry, maintaining persistence, and selling that access to financially motivated cybercriminals. This business model has significantly accelerated ransomware operations over the last several years.

The privilege escalation phase demonstrates that attackers continue to rely on lightweight portable tools rather than sophisticated malware. Simple unsigned executables often evade detection because they blend into legitimate administrative activity.

The discovery of repeated malicious administrator account names provides defenders with valuable detection opportunities. However, defenders should avoid relying solely on indicators of compromise because attackers can easily change filenames and account names.

Behavior-based monitoring remains far more effective than signature-based detection. Unexpected administrator creation, impossible travel between IP addresses, abnormal authentication events, and unusual privilege escalation should all trigger immediate investigations.

Organizations should also reconsider session management policies. Long authentication lifetimes provide attackers with a wider window to exploit stolen tokens. Continuous validation of user identity and adaptive access controls can significantly reduce this risk.

Patch management remains one of the simplest yet most effective defenses. Vulnerabilities affecting internet-facing authentication systems should always receive the highest deployment priority because they provide attackers with direct access to enterprise networks.

Finally, the incident serves as another reminder that ransomware attacks rarely begin with ransomware itself. The encryption stage is simply the final act in a much longer intrusion that often starts with a single overlooked vulnerability.

✅ Confirmed: CVE-2025-5777 (CitrixBleed 2) is a publicly documented memory-overread vulnerability affecting vulnerable Citrix NetScaler appliances and has been associated with active exploitation.

✅ Confirmed: The described attack chain—session token theft, MFA bypass through session replay, privilege escalation, unauthorized administrator creation, and ransomware deployment—is consistent with publicly reported incident response investigations.

❌ Not Fully Verified: While investigators strongly attribute the activity to an Initial Access Broker or ransomware affiliate, this attribution remains an assessment based on observed tactics rather than publicly confirmed identification of a specific threat actor.

Prediction

(+1) Organizations that rapidly patch vulnerable Citrix NetScaler systems, monitor authentication anomalies, implement continuous session validation, and reduce session lifetimes will significantly decrease their exposure to similar attacks over the coming years.

(-1) Attackers are likely to continue targeting authentication infrastructure instead of user credentials. Session hijacking techniques will become increasingly common, and organizations that delay security updates or rely solely on MFA without monitoring session integrity may face more frequent ransomware incidents and large-scale enterprise compromises.

▶️ Related Video (82% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.discord.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube