Citrix Bleed 2 Ransomware: The Full 2026 Breakdown
Your NetScaler is patched, so you’re safe, right? Not quite. Attackers exploiting Citrix Bleed 2 ransomware campaigns steal session tokens that stay valid even after you patch. Here is what happened, who is behind it, and what to do now.
Citrix Bleed 2 (CVE-2025-5777) is a critical NetScaler flaw that leaks session tokens from memory. The Anubis ransomware group has used it to bypass MFA and hit 91 victims. Patching alone does not close the door. You must kill active sessions too.
What Is Citrix Bleed 2 Ransomware?
Citrix Bleed 2 ransomware refers to ransomware attacks that use CVE-2025-5777 as the entry point. CVE-2025-5777 is a pre-authentication memory disclosure vulnerability in Citrix NetScaler ADC and Gateway appliances. The name comes from its close resemblance to the original Citrix Bleed (CVE-2023-4966) from 2023.
The flaw itself is not ransomware. It is the crowbar. Attackers pry open the door with it, walk in, and deploy ransomware once inside. Security researcher Kevin Beaumont coined the “Citrix Bleed 2” label because the two bugs behave so similarly.
Here is the mechanism in plain terms. The backend parser hands back an uninitialized local variable that was supposed to hold the username from the login parameter. When the input is partially formed or missing, the server responds with whatever residual data sat in that memory space. That leaked data can include live session tokens.
Why It Matters More Than a Typical CVE
Most vulnerabilities require a password, a click, or a trick. This one does not. The exploitation mechanism does not require guessing a password, bypassing a CAPTCHA, or fooling a user.
That changes the math for defenders. There is no phishing email to spot and no weak credential to blame. An attacker just sends a malformed login request and reads the memory that leaks back.
The scale confirms the risk. Internet scanning firm Censys documented 69,237 exposed instances at the time of disclosure in June 2025. Threat intelligence firm Imperva recorded more than 11.5 million attack attempts targeting the flaw, with 39.1% aimed at the financial services industry.
This pattern of stolen credentials and access-broker activity echoes what I covered in the insider-driven Coinbase incident earlier this year, where the entry point mattered less than what happened after.
Which NetScaler Devices Are Affected?
The flaw only triggers under specific configurations. It is present only when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server. Default configurations are unaffected, so the subset of exposed appliances is narrower than the full NetScaler population.
Still, that narrower subset is a large target. And older gear has no way out. Organizations running versions 12.1 and 13.0, both End-of-Life as of 2025, have no patch available and remain permanently vulnerable.
The issue impacts devices in versions prior to 14.1-43.56, 13.1-58.32, 13.1-37.235-FIPS/NDcPP, and 12.1-55.328-FIPS. If you run an EOL build, patching is not an option. Replacement is.
How the Timeline Unfolded
The path from disclosure to mass exploitation moved fast. Here is the sequence.
Citrix disclosed the vulnerability on June 17, 2025, and expanded the scope with patches by June 23. The first warning of active exploitation came from ReliaQuest on June 27. On July 7, researchers at watchTowr and Horizon3 published proof-of-concept exploits demonstrating how the flaw steals session tokens.
Then federal action landed. CISA added CVE-2025-5777 to its Known Exploited Vulnerabilities catalog on July 10, 2025, officially confirming active exploitation. The urgency was unusual. CISA gave federal agencies just one day to apply fixes, an unprecedented deadline since the KEV catalog launched.
Worse, the attacks predated the public warnings. GreyNoise reports that exploitation occurred as early as two weeks before proof-of-concept exploit code was publicly available.

Who Is Behind the Citrix Bleed 2 Ransomware Attacks?
The group tied most directly to Citrix Bleed 2 ransomware is Anubis. Anubis is a ransomware-as-a-service (RaaS) group that first emerged in late 2024 as a rebrand of Sphinx ransomware. It was formally announced on the RAMP underground forum in February 2025.
The toll is significant. Arctic Wolf Labs published its full investigation on July 1, 2026, and Anubis has claimed 91 victims, 11 of them in June 2026 alone. More than half of the 91 confirmed victims are US-based, with the remainder concentrated in the United Kingdom, Australia, France, and Canada.
Anubis is not the only actor circling this flaw. One of the IP addresses executing attacks in mid-June was previously linked to the RansomHub ransomware group by CISA. RansomHub’s fingerprints on early activity show how quickly multiple crews adopt a working exploit.
How the Attack Chain Works
Anubis affiliates follow a repeatable playbook. The Citrix Bleed 2 ransomware chain has clear, observable stages, and each one is a chance to catch it.
Initial access. Since the start of 2026, Arctic Wolf has investigated Anubis intrusions involving both valid VPN credential use and exploitation of CitrixBleed 2. Valid Cisco AnyConnect VPN logins were also observed from hosting ASNs, including AS20473 (The Constant Company) and AS55286 (ServerMania).
Lateral movement. Malicious VPN authentication was followed by RDP and SMB activity, leading to credential access, PsExec service creation, and RMM deployment. Attackers targeted high-value infrastructure such as domain controllers, hypervisors, backup-adjacent systems, and NAS devices.
Persistence via legitimate tools. This is the part that makes detection hard. Anubis affiliates repeatedly abused legitimate remote management tools, including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment, to blend in with normal IT activity.
Exfiltration and evasion. Tools like S3 Browser, rclone, s5cmd, WinSCP, and PuTTY were installed for data transfer before ransomware deployment. Defense evasion included Windows Defender real-time protection disablement, SophosUninstall activity, PCHunter-related artifacts, and log clearing across multiple systems.
The reliance on trusted software is the real lesson here. The finding that demands structural attention is the systematic weaponization of legitimate commercial RMM software to create persistence that is nearly indistinguishable from routine IT activity. This living-off-the-land pattern is exactly the kind of threat I flagged when covering broader software supply chain risks and their fixes.

Real Victims and Real Damage
The victims are not abstract. Singing River Health System in Mississippi confirmed in February 2026 that a December 2025 breach affected approximately 53,888 patients, exposing Social Security numbers, dates of birth, treatment records, medication lists, and bank account information. It was the network’s second ransomware breach in two years.
Another case shows the negotiation pattern. In April 2026, Anubis claimed to have stolen two terabytes of patient data from Massachusetts-based Signature Healthcare, then removed the victim from its leak site, a pattern that typically indicates ransom negotiation.
Arctic Wolf documented intrusions across healthcare, financial services, manufacturing, and technology sectors throughout 2026.
Why Patching Alone Does Not Fix Citrix Bleed 2 Ransomware Risk
Patching the appliance is necessary. It is not sufficient. This is the single most misunderstood point about Citrix Bleed 2 ransomware defense.
Tokens extracted before the patch was applied remain valid until explicitly revoked, and no antivirus signature flags a legitimate ScreenConnect installer. An attacker who grabbed a token last week can still walk in today, even on a fully patched box.
Citrix’s guidance is explicit. After applying the fix, administrators must run kill icaconnection -all, kill pcoipConnection -all, and clear aaa session -all on the NetScaler CLI. Skip these and you leave attacker-established sessions alive in memory.
Even those three commands may not be enough. According to Kevin Beaumont, the original commands to clear ICA and PCoIP connections are insufficient to fully mitigate the vulnerability. RDP, AAA, and Load Balancing persistent sessions should also be terminated, since the original commands do not account for all leaked session cookies.
What to Do Right Now
Here is the direct action list. Do these in order.
First, confirm your patch status. Verify patch status against the specific vulnerable builds documented in Citrix advisory CTX693420. If you run EOL versions 12.1 or 13.0, plan an upgrade immediately, because no patch exists for those.
Second, kill every session after patching. Run the three CLI commands, then terminate RDP, AAA, and Load Balancing sessions too. Do not treat the patch as the finish line.
Third, audit your RMM footprint. Maintain a list of approved RMM tools and monitor for installation of unauthorized alternatives, since deployment of multiple RMM tools within a short timeframe is a potential indicator of adversary persistence.
Fourth, block known bad infrastructure. Arctic Wolf recommends blocking known malicious infrastructure such as azuremicrosoft[.]us and promotds[.]us.
Fifth, watch for the login fingerprint. Attackers exploiting CVE-2025-5777 consistently operated from IP addresses associated with virtual private server hosting providers, a distinctive fingerprint, since legitimate employee logins almost always originate from residential or business broadband addresses.
Network defenders also have a signature option. A Snort rule (SID: 65120) detects exploitation attempts by looking for malformed HTTP POST requests targeting the /p/u/doAuthentication.do endpoint.
The timing of these steps matters as much as the steps themselves, a point worth repeating from any Patch Tuesday triage cycle where speed decides whether a fix lands before an attacker does.

The Detection Window You Still Have
Encryption is the last step, not the first. That gap is your opportunity. Arctic Wolf’s recommendations focus on detection before encryption, which remains the point at which defenders still have meaningful options.
The best opportunities for detection lie before encryption, when authentication anomalies, RMM deployment, and exfiltration tools begin to cluster around the same hosts. If you see three RMM tools appear on one server alongside a new PsExec service and odd VPN logins, treat it as an active intrusion, not an IT quirk.
Where This Leaves Us
Citrix Bleed 2 ransomware is a solved problem on paper and an open wound in practice. The patch exists, the CISA mandate is clear, and the mitigation steps are published. Yet 91 victims and counting show how many organizations patched the box and stopped there.
Watch three numbers going forward: the count of exposed NetScaler instances still online, the pace of new Anubis victims on its leak site, and how many breached firms skipped session termination. The exploit is not going away. The teams that survive it will be the ones who treat “patched” as the start of the response, not the end of it.

