Resurgence of Exploitation Attempts on GlobalProtect and CitrixBleed Vulnerabilities

Resurgence of Exploitation Attempts on GlobalProtect and CitrixBleed Vulnerabilities

First seen 9 Jul 2026, 00:48 UTC www.greynoise.ioGreynoisenvd.nist.gov 81% similarity 74.7

Article Content

Browse articles
ThreatCluster

Between June 29 and July 6, 2026, GreyNoise observed a significant increase in exploitation attempts targeting Palo Alto GlobalProtect CVE-2019-1579, with over 120 malicious hosts detected on July 6. This activity was primarily sourced from a single hosting network. Concurrently, GreyNoise documented active exploitation of CVE-2025-5777 (CitrixBleed 2), which began on June 23, 2026, prior to the public release of a proof-of-concept on July 4. The early exploitation of CVE-2025-5777 was traced back to malicious IPs in China, specifically targeting GreyNoise sensors emulating Citrix NetScaler appliances. CISA confirmed the exploitation of CVE-2025-5777 on July 9, 2026, adding it to the Known Exploited Vulnerabilities catalog. Organizations are advised to patch vulnerabilities and block malicious IPs to mitigate risks.

Key Points: • Over 120 malicious hosts targeted GlobalProtect CVE-2019-1579 on July 6, 2026. • Exploitation of CVE-2025-5777 began on June 23, 2026, before public PoC release. • CISA confirmed active exploitation of CVE-2025-5777 on July 9, 2026.

ThreatCluster AI

Timeline

2019-07-19
CVE-2019-1579 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-06-23
Exploitation of CVE-2025-5777 begins
Malicious IPs from China targeted GreyNoise sensors emulating Citrix NetScaler appliances.
www.greynoise.io
2026-07-04
Public PoC for CVE-2025-5777 released
A proof-of-concept for CitrixBleed 2 was made public, following active exploitation.
www.greynoise.io
2026-07-06
Spike in GlobalProtect exploitation attempts
More than 120 malicious hosts targeted CVE-2019-1579, primarily from a single hosting network.
Greynoise
2026-07-09
CISA confirms exploitation of CVE-2025-5777
CISA added CVE-2025-5777 to the Known Exploited Vulnerabilities catalog after confirming active exploitation.
www.greynoise.io

Community

Browse all →