Session Hijack Exploit in Citrix NetScaler Opens Door to Rapid Ransomware Deployment

Attackers are exploiting a Citrix NetScaler memory disclosure flaw to steal active session tokens and deploy ransomware in under an hour without needing user credentials.

CSBadmin
2 Min Read

Vulnerability and Attack Mechanism

A critical memory disclosure vulnerability in Citrix NetScaler appliances is enabling attackers to bypass authentication and hijack active user sessions. Tracked as CVE-2025-5777 and dubbed CitrixBleed 2, the flaw resides in the memory management of NetScaler ADC and Gateway devices configured as AAA virtual servers. By sending malformed POST requests to login endpoints, an attacker can trigger a memory overread that leaks small fragments of appliance memory before authentication occurs. This leaked data can contain session tokens, allowing the adversary to replay a stolen token and assume control of an already authenticated session, thus rendering multi-factor authentication ineffective.

Attack Chain and Observed Impact

Security researchers at Huntress documented a consistent seven stage playbook across half a dozen intrusions between January and June 2026. In one case, a legitimate employee completed LDAP and multi-factor authentication from a known IP address, only for that same session to be active from an attacker IP just 21 minutes later with no additional login. Once inside, the attacker used a portable privilege escalation tool to achieve SYSTEM level access, created local administrator accounts, and deployed remote management software. The most advanced observed intrusion progressed to ransomware deployment in under an hour, with the DragonForce ransomware variant used to encrypt the victim environment.

Recommendations for Defenders

Organizations using Citrix NetScaler must act beyond patching alone. Stolen session tokens may remain valid even after an appliance update, so all active sessions on systems vulnerable to CVE-2025-5777 should be terminated. Logs from NetScaler appliances should be forwarded immediately to a central repository like a SIEM, as the evidence of malformed requests and memory leakage can rotate quickly. Administrators should also audit for unexpected accounts such as ctxsvc or CtxAppVCOMService, and investigate any unplanned installations of remote control tools like ScreenConnect or Zoho Assist.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.