Critical Vulnerability

Anubis Ransomware exploits Citrix Bleed 2 for access

Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access. 'Although tactics differ between

What Happened

Threat actors linked to the Anubis ransomware operation are exploiting the newly disclosed Citrix Bleed 2 vulnerability CVE-2025-5777 to gain initial access to target networks. Attack intelligence from multiple sources indicates the group has expanded its arsenal beyond opportunistic exploitation, now combining this vulnerability with Bring Your Own Vulnerable Driver (BYOVD) attacks and procurement of stolen supply chain credentials. The shift represents a notable escalation in the group’s operational maturity, moving toward multi-vector intrusion chains that compound the difficulty of defense.

Why It Matters

Anubis is a relatively new ransomware actor, but its adoption of these techniques signals a dangerous convergence. The Citrix Bleed 2 exploit targets Citrix Application Delivery Controller (ADC) and Gateway appliances running unpatched firmware, providing attackers with initial footholds without authentication. BYOVD attacks allow the group to disable endpoint detection and response (EDR) agents by loading a signed but vulnerable kernel driver - effectively blinding defenders to lateral movement. Compounding this, supply chain credential theft gives Anubis persistent access even after the initial exploitation vector is closed. For organizations relying on Citrix appliances, this is not a theoretical threat: public-facing Citrix instances are actively being scanned.

Technical Details

CVE-2025-5777 is a heap-based buffer overflow in the Citrix ADC web interface, allowing unauthenticated remote code execution. Proof-of-concept code is already circulating on closed Telegram channels. The BYOVD component targets the same signed but flawed kernel driver used by other groups (e.g., the driver identified as ntoskrnl.sys variant). Anubis operators are known to purchase compromised credentials - including those for privileged service accounts - via underground forums, enabling them to skip credential guessing and deploy ransomware directly.

Indicators include anomalous Citrix ADC logins from unexpected IP ranges, driver installation events flagged by system integrity checks, and SMB lateral movement from the initial foothold to domain controllers. The group has been observed dropping the Styx stealer payload post-exploitation for credential harvesting and reconnaissance.

Immediate Risk

The risk is critical for any organization with unpatched Citrix ADC or Gateway appliances exposed to the internet. Anubis does not target a specific vertical - the group targets any accessible Citrix instance. The BYOVD attack component bypasses most EDR solutions, and the supply chain credential element means that even patched systems could be recompromised if credentials are already stolen. CISA has not yet added CVE-2025-5777 to the Known Exploited Vulnerabilities catalog, but active scanning suggests inclusion is imminent.

Security Insight

The key defensive takeaway here is that Anubis is exploiting the lag between disclosure and patch deployment, but they are also targeting the remediation event itself. The group has been observed using stolen credentials to authenticate after a patch is applied - meaning organizations that patch but do not rotate all exposed credentials remain vulnerable. This mirrors the Conti playbook of 2021, where post-patch credential reuse led to re-compromise. The only effective response is to simultaneously: (1) apply the Citrix patch, (2) rotate all credentials stored or cached on any appliance, and (3) audit for any unexpected driver loads or EDR tampering within the last 30 days. Treat the remediation window as a recovery operation, not a simple patch cycle.

Further Reading

Share:

Never miss a security update

Get real-time security alerts delivered to your preferred platform.

Related News

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.