A year-old Citrix vulnerability is still handing ransomware crews the keys to enterprise networks. Threat actors running the Anubis ransomware operation have been exploiting Citrix Bleed 2 — tracked as CVE-2025-5777, CVSS 9.3 — to gain initial access, steal session tokens, and bypass multi-factor authentication without ever needing a password. The campaign has been prolific: Anubis has claimed 91 victims through intrusions built on the flaw.
The exploitation is not new-day-zero drama. Citrix Bleed 2 was disclosed and patched in 2025. What this campaign demonstrates is uglier: a fully patched-available vulnerability, sitting on internet-facing NetScaler appliances a year later, still productive enough to sustain an entire ransomware operation’s victim pipeline.
How Citrix Bleed 2 Breaks MFA
CVE-2025-5777 affects Citrix NetScaler ADC and Gateway when the appliance is configured as a Gateway or AAA virtual server. Like its infamous predecessor Citrix Bleed, the flaw lets an attacker read memory from the appliance — memory that contains valid session tokens belonging to users who have already authenticated.
That mechanism is what makes it an MFA killer. The attacker never phishes a one-time code or pushes a fatigue attack. They simply take over a session that a legitimate user already completed MFA for. From the network’s perspective, the intruder is that user. Every dollar the victim organization spent on MFA is bypassed by a memory-disclosure bug in the box that terminates the VPN.
Blending In: The RMM Toolkit
What Anubis affiliates do after landing is a case study in living off the land — or more precisely, living off the IT department. Investigators observed the group repeatedly deploying legitimate remote monitoring and management tools, including ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, and Total Software Deployment, to maintain persistent control while looking like routine IT activity.
This is the defining tradecraft shift of 2026 ransomware. Custom malware trips EDR; commercial RMM agents are signed, allowlisted, and often already present in the environment. When a second (or third) RMM platform quietly appears on a domain controller, most security teams don’t have a detection for it — because half the time, it’s their own MSP.
Alongside Citrix Bleed 2, the intrusions combined stolen VPN credentials whose origin remains unknown — possibly prior compromise, initial-access brokers, credential stuffing, or infostealer harvests. The overlap with what we documented in the FortiBleed credential-harvesting campaign is hard to miss: the ecosystem is awash in valid edge-device credentials, and ransomware crews are the buyers.
The Broader Pattern: BYOVD and Supply-Chain Credentials
The Anubis disclosure landed alongside Kaspersky research detailing The Gentlemen ransomware-as-a-service group — a crew we’ve covered before for its attacks on South Texas healthcare providers. Kaspersky found The Gentlemen breaching targets through known vulnerabilities and stolen or weak credentials, then evading defenses using bring-your-own-vulnerable-driver (BYOVD) techniques — loading a legitimately signed but exploitable driver to gain kernel-level access and blind or kill EDR from below.
Put the pieces together and the 2026 ransomware playbook looks like this:
- Initial access through an unpatched edge appliance (Citrix Bleed 2) or credentials bought from the supply chain of stolen logins.
- MFA bypass via session-token theft rather than social engineering.
- Persistence through legitimate RMM software that defenders trust.
- Defense evasion via BYOVD to disable endpoint protection at the kernel.
- Extortion — increasingly data-theft-first, encryption optional.
Almost nothing in that chain requires novel malware. It is assembled from the victim’s own infrastructure, commercial tooling, and old vulnerabilities.
What Defenders Should Do
- Patch NetScaler now, then hunt. If your ADC/Gateway sat exposed unpatched at any point since June 2025, patching alone is insufficient — attackers holding stolen session tokens survive the patch. Terminate all active sessions after updating and review authentication logs for session anomalies: impossible travel, sessions outliving their users, logins without corresponding MFA events.
- Inventory RMM tools and alert on new ones. Maintain an explicit allowlist of sanctioned remote-access software. The appearance of ScreenConnect, MeshAgent, or UltraVNC outside that list should page someone.
- Deploy the Microsoft vulnerable-driver blocklist (or your EDR’s equivalent) to blunt BYOVD attacks, and alert on driver loads from unusual paths.
- Rotate VPN credentials and enforce phishing-resistant MFA — while recognizing, per the above, that MFA is a layer, not a wall.
The Bottom Line
Ninety-one organizations are on Anubis’s ledger because a 2025 vulnerability met 2026 patch discipline. Citrix Bleed 2 is not a sophisticated weapon — it’s a door that was documented, patched, and left open anyway. The groups exploiting it have industrialized every step that follows, using software your IT team already trusts. The lesson isn’t that attackers are getting more advanced. It’s that they no longer need to be.



