Ransomware operators, including those linked to the Anubis operation, are leveraging the Citrix Bleed 2 vulnerability, identified as CVE-2025-5777, to gain initial access to targeted systems1. This exploit allows threat actors to utilize legitimate Remote Management and Monitoring tooling, facilitating credential access and hands-on-keyboard procedures for lateral movement. The use of supply chain credentials and Bring Your Own Vulnerable Device (BYOVD) tactics further expands the attack surface. As the disclosure of CVE-2025-5777 broadens the potential attack surface, organizations must prioritize mitigation based on their exposure and evidence of exploitation. The exploitation of this vulnerability by ransomware groups underscores the importance of prompt patching and robust security measures to prevent initial access and subsequent lateral movement. This development matters to security practitioners as it highlights the need for proactive vulnerability management to stay ahead of emerging threats.
Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
⚠️ Critical Alert
Why This Matters
CVE-2025-5777 disclosure expands the active attack surface — prioritize based on your exposure and exploitation evidence.
References
- The Hacker News. (2026, July 2). Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials. *The Hacker News*. https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html
Original Source
The Hacker News
Read original →