Cybersecuritydive
CitrixBleed 2 Exploited by Initial Access Broker for DragonForce Ransomware Attacks
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
In the first half of 2026, multiple organizations were targeted by an Initial Access Broker exploiting the CitrixBleed 2 vulnerability (CVE-2025-5777). Attackers gained access through the Citrix NetScaler gateway, escalating privileges and creating rogue administrator accounts. The most advanced attack led to the deployment of DragonForce ransomware, with rapid execution leaving little time for defenders to respond. Huntress identified a consistent attack pattern across at least six incidents, prompting warnings for organizations to patch their systems. The vulnerability was linked to insufficient input validation in NetScaler ADC and Gateway configurations. Sophos also tracked the cluster of attacks under the name STAC3725, noting similarities to previous incidents involving QEMU tooling. Citrix had released guidance on the vulnerability in 2025.
Key Points: • CVE-2025-5777 (CitrixBleed 2) exploited in multiple attacks during early 2026. • Attackers used privilege escalation and rogue accounts to deploy DragonForce ransomware. • Organizations using Citrix NetScaler are urged to patch their systems immediately.