Resurgence of Exploitation Attempts on GlobalProtect and CitrixBleed Vulnerabilities
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Between June 29 and July 6, 2026, GreyNoise observed a significant increase in exploitation attempts targeting Palo Alto GlobalProtect CVE-2019-1579, with over 120 malicious hosts detected on July 6. This activity was primarily sourced from a single hosting network. Concurrently, GreyNoise documented active exploitation of CVE-2025-5777 (CitrixBleed 2), which began on June 23, 2026, prior to the public release of a proof-of-concept on July 4. The early exploitation of CVE-2025-5777 was traced back to malicious IPs in China, specifically targeting GreyNoise sensors emulating Citrix NetScaler appliances. CISA confirmed the exploitation of CVE-2025-5777 on July 9, 2026, adding it to the Known Exploited Vulnerabilities catalog. Organizations are advised to patch vulnerabilities and block malicious IPs to mitigate risks.
Key Points: • Over 120 malicious hosts targeted GlobalProtect CVE-2019-1579 on July 6, 2026. • Exploitation of CVE-2025-5777 began on June 23, 2026, before public PoC release. • CISA confirmed active exploitation of CVE-2025-5777 on July 9, 2026.