🔴 Critical  |  Source: The Hacker News


The Anubis ransomware group is actively exploiting CVE-2025-5777, dubbed Citrix Bleed 2, to gain initial access to target environments. Affiliates are combining this with Bring Your Own Vulnerable Driver (BYOVD) techniques, supply chain credential theft, and legitimate remote management tooling to move laterally and evade detection. The breadth of tactics across multiple affiliates makes this a significant and evolving threat to enterprise environments running Citrix NetScaler.

Security Architect’s Take: Patch Citrix NetScaler to the latest version immediately to remediate CVE-2025-5777, and audit all RMM tooling in your environment for unauthorised instances — block unapproved RMM tools at the network perimeter and via application control policies. Review privileged credential stores and pipeline secrets for evidence of exfiltration, particularly if you have exposure to third-party supply chains.

Original advisory: Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials