Anubis Ransomware Exploits CVE-2025-5777 to Bypass MFA and Hijack Enterprise Sessions
Affiliates are chaining a Citrix NetScaler memory-disclosure flaw with legitimate RMM tools and supply-chain credential theft — rendering multi-factor authentication completely irrelevant at the point of entry.

Anubis ransomware affiliates are actively exploiting CVE-2025-5777, a memory-disclosure vulnerability in Citrix NetScaler ADC and Gateway appliances, to hijack authenticated enterprise sessions without ever triggering an MFA prompt.
The Mechanics of Citrix Bleed 2
The flaw is conceptually simple and ruthlessly effective. An unauthenticated attacker sends a crafted request to a vulnerable NetScaler appliance. The appliance responds by leaking whatever happens to be sitting in memory at that moment — including active session tokens. The attacker extracts a valid token and replays it. No credentials entered. No MFA challenge issued. No anomaly logged at the authentication layer.
That is the core problem defenders keep miscalibrating. Session hijack is not an authentication failure. It is a session-management failure. By the time an attacker replays a stolen cookie, the authentication event is already in the past. Multi-factor controls sit upstream of that replay. They never fire.
"Session tokens remain the softest tissue in the modern identity stack," one incident responder summarized after working through multiple Anubis-linked intrusions. Until session binding to device posture or client certificate becomes a default expectation rather than an edge-case configuration, this entire class of bug will keep delivering reliable initial access to ransomware crews.
Citrix patched CVE-2025-5777 in June 2025. The company was explicit in its advisory: patching alone is not enough. Administrators must also force-terminate every active ICA and PCoIP session on affected appliances after upgrading. Any session established before the patch can still be replayed. That operational step — the session flush — is the one most organizations have skipped.
What Happens After the Door Opens
Initial access is only act one. Anubis affiliates follow a deliberate three-stage playbook once inside.
Stage one: blend in. Rather than deploying custom malware, operators install legitimate Remote Management and Monitoring (RMM) software — tools like AnyDesk, ConnectWise, or Atera that most enterprise allowlists already bless. EDR solutions that key on unsigned binaries or unusual process lineage see nothing suspicious. The attacker looks like an MSP technician doing routine work.
Stage two: harvest credentials. Investigators have documented hands-on-keyboard operators pulling secrets from memory, browser credential stores, and — in a pattern that is appearing repeatedly in 2025 ransomware casework — from third-party suppliers whose standing access to Citrix-fronted environments provides a pivot into the primary target. Supply-chain credential reuse amplifies the blast radius of a single exploited appliance into a multi-organization incident.
Stage three: blind the defenses. Before executing the ransomware payload, affiliates load a vulnerable signed driver to disable or neuter endpoint protection. This Bring Your Own Vulnerable Driver (BYOVD) technique is not new, but it remains effective wherever Microsoft's vulnerable driver blocklist is not actively enforced. Many organizations assume it is enabled by default. It is not.
The Verizon 2024 Data Breach Investigations Report found that exploitation of vulnerabilities as an initial access vector tripled year-over-year, now appearing in 14% of breaches. CVE-2025-5777 fits that trajectory precisely: a network-edge appliance, unauthenticated exploitation, and a patch gap that affiliates are racing to monetize before administrators close it.
Which Controls Failed Here
The honest post-mortem on Citrix Bleed 2 intrusions points to at least four distinct control failures working in combination.
First, patch velocity on perimeter appliances remains inadequate across much of the enterprise market. A June patch should not still be undeployed in July at organizations that run internet-facing authentication gateways. Appliances that handle session tokens for the entire workforce warrant an accelerated patching SLA, not a quarterly maintenance window.
Second, session management hygiene is treated as an afterthought rather than a first-class security control. Binding sessions to a device fingerprint, network posture, or client certificate would not prevent the memory leak — but it would make the stolen token unreplayable from an attacker-controlled machine. That single architectural choice guts the entire attack chain.
Third, RMM allowlisting without behavioral baselining is a security liability dressed up as an operational convenience. Approving a tool organization-wide because the IT team uses it, without alerting on anomalous spawning contexts or unusual parent processes, hands attackers a camouflaged persistence mechanism.
Fourth, third-party integrator access is rarely reviewed with the same rigor as internal accounts. Suppliers with standing credentials to Citrix-fronted environments represent lateral-movement highways. Credential rotation and just-in-time access for external parties are not optional hygiene steps when your perimeter appliance is actively being mined for session tokens.
Organizations that train employees to recognize suspicious requests and handle credentials responsibly close the human side of this equation. When an affiliate operator moves laterally using a legitimate RMM tool and a harvested third-party password, the last line of defense is often a person — someone who notices something feels off and knows what to do. Security-awareness training that covers credential hygiene and social engineering builds that instinct before attackers test it.
Immediate Actions for Defenders
The hunt list is short but requires immediate attention:
- Identify every NetScaler ADC and Gateway appliance in the environment. Confirm CVE-2025-5777 patch status for each device individually.
- For any appliance patched without a subsequent session flush, treat all active ICA and PCoIP sessions as potentially compromised. Force termination now.
- Review endpoint telemetry for RMM binaries executing from user profile directories, spawning PowerShell with base64-encoded arguments, or communicating with domains registered in the last 90 days.
- Audit third-party supplier accounts with access to Citrix-adjacent systems. Rotate credentials, apply just-in-time access controls, and confirm MFA enrollment — even though MFA does not stop session replay, it limits what an attacker can do with harvested static passwords.
- Verify that Microsoft's vulnerable driver blocklist is enforced in block mode rather than audit mode. Check NIST's vulnerability detail for CVE-2025-5777 for CVSS scoring and affected version ranges.
- Review your organization's current control framework against recognized standards at train2secure.com/standards to identify gaps this incident might expose.
NetScaler appliances sit at the front door of enterprise identity infrastructure for a reason. Letting that door leak session tokens while the patch sits unapplied is not a technical failure — it is a prioritization failure. The fix exists. The session flush is documented. The hunt queries are available. What Anubis affiliates are counting on is inertia.
Don't give it to them.
How Anubis-style intrusions could be disrupted earlier
- Patch internet-facing appliances like NetScaler ADC within 72 hours of a critical advisory — and document the mandatory session flush as a required post-patch step, not an optional one.
- Baseline RMM tool behavior so that legitimate software spawning encoded PowerShell or communicating with new domains generates an immediate alert rather than blending into background noise.
- Train employees and IT staff to recognize credential-harvesting attempts and handle third-party access requests with the same scrutiny applied to internal privileged accounts.
Train2Secure's security-awareness programs cover credential hygiene, social engineering recognition, and the human behaviors that ransomware operators depend on — so your people become a detection layer, not a gap.
Start free — no card requiredSources & further reading
Frequently asked questions
Does enabling MFA on Citrix NetScaler protect against CVE-2025-5777 exploitation?
No. CVE-2025-5777 leaks active session tokens from appliance memory before any authentication challenge occurs. An attacker who replays a stolen token inherits an already-authenticated session, so MFA is never triggered. Session binding to device posture or client certificates is the relevant countermeasure.
What does 'session flush' mean and why does Citrix say patching alone is not enough?
After patching a vulnerable appliance, any session token established before the patch is still valid and still replayable. Citrix's guidance requires administrators to explicitly terminate all active ICA and PCoIP sessions post-upgrade. Skipping that step leaves stolen tokens usable indefinitely.
How are Anubis affiliates evading endpoint detection after gaining access?
Affiliates install legitimate RMM tools — software that most enterprise allowlists already permit — to handle persistence and lateral movement. They also use Bring Your Own Vulnerable Driver (BYOVD) techniques to disable endpoint protection before deploying ransomware, making early behavioral detection critical.
Which versions of Citrix NetScaler ADC and Gateway are affected by CVE-2025-5777?
Full version-range details and CVSS scoring are published on the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-5777 and in Citrix's official advisory. Administrators should verify patch status per-appliance rather than assuming a fleet-wide deployment completed successfully.


