CitrixBleed 2 Exploited by Initial Access Broker for DragonForce Ransomware Attacks

CitrixBleed 2 Exploited by Initial Access Broker for DragonForce Ransomware Attacks

First seen 10 Jul 2026, 22:41 UTC HuntressCybersecuritydivesupport.citrix.com 90% similarity 72.6

Article Content

Browse articles
ThreatCluster

In the first half of 2026, multiple organizations were targeted by an Initial Access Broker exploiting the CitrixBleed 2 vulnerability (CVE-2025-5777). Attackers gained access through the Citrix NetScaler gateway, escalating privileges and creating rogue administrator accounts. The most advanced attack led to the deployment of DragonForce ransomware, with rapid execution leaving little time for defenders to respond. Huntress identified a consistent attack pattern across at least six incidents, prompting warnings for organizations to patch their systems. The vulnerability was linked to insufficient input validation in NetScaler ADC and Gateway configurations. Sophos also tracked the cluster of attacks under the name STAC3725, noting similarities to previous incidents involving QEMU tooling. Citrix had released guidance on the vulnerability in 2025.

Key Points: • CVE-2025-5777 (CitrixBleed 2) exploited in multiple attacks during early 2026. • Attackers used privilege escalation and rogue accounts to deploy DragonForce ransomware. • Organizations using Citrix NetScaler are urged to patch their systems immediately.

ThreatCluster AI

Timeline

2023-10-10
CVE-2023-4966 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2025-06-17
CVE-2025-5777 published
CitrixBleed 2 vulnerability disclosed, affecting Citrix NetScaler products.
Huntress
2025-07-10
CVE-2025-5777 added to CISA KEV
CISA included CitrixBleed 2 in its Known Exploited Vulnerabilities catalog due to active exploitation.
Huntress
2026-03-23
CVE-2026-4368 published
New vulnerability related to Citrix products published, further complicating security landscape.
Huntress
Recent
Huntress reports on CitrixBleed 2 exploitation
Huntress details a series of attacks exploiting CitrixBleed 2, leading to DragonForce ransomware deployment.
Cybersecuritydive

Community

Browse all →