Kevin Beaumont<p>The Dutch Public Prosecution Service Citrix Netscaler incident is rumbling on. They are working on service recovery. </p><p><a href="https://www.databreachtoday.com/dutch-prosecutors-recover-from-suspected-russian-hack-a-29129" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">databreachtoday.com/dutch-pros</span><span class="invisible">ecutors-recover-from-suspected-russian-hack-a-29129</span></a></p><p> <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a></p>
mastodon.ie is one of the many independent Mastodon servers you can use to participate in the fediverse.
Irish Mastodon - run from Ireland, we welcome all who respect the community rules and members.
Administered by:
Server stats:
1.6Kactive users
mastodon.ie: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.3
#citrixbleed2
1 post · 1 participant · 1 post today
gmmds<p><a href="https://mastodonapp.uk/tags/citrixbleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>citrixbleed2</span></a> Citrix engineer required!</p>
gmmds<p><span class="h-card" translate="no"><a href="https://cyberplace.social/@GossiTheDog" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>GossiTheDog</span></a></span> <a href="https://mastodonapp.uk/tags/citrixbleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>citrixbleed2</span></a> The Dutch Cyber Centre script has been updated with an extra check for xhtml files in /var/netscaler <a href="https://github.com/NCSC-NL/citrix-2025/blob/main/TLPCLEAR_check_script_cve-2025-6543-v1.7.sh" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/NCSC-NL/citrix-2025</span><span class="invisible">/blob/main/TLPCLEAR_check_script_cve-2025-6543-v1.7.sh</span></a></p>
Kevin Beaumont<p>Emerging situation to be aware of - some of the <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> session hijacking victims are also victims of webshell implants via a different vuln, CVE-2025-6543.</p><p>Script to check for Netscaler implants: <a href="https://github.com/NCSC-NL/citrix-2025/blob/main/TLPCLEAR_check_script_cve-2025-6543-v1.6.sh" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/NCSC-NL/citrix-2025</span><span class="invisible">/blob/main/TLPCLEAR_check_script_cve-2025-6543-v1.6.sh</span></a></p>
gmmds<p><a href="https://mastodonapp.uk/tags/citrixbleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>citrixbleed2</span></a> Hmm the Dutch Cyber Center script is back: <a href="https://github.com/NCSC-NL/citrix-2025" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/NCSC-NL/citrix-2025</span><span class="invisible"></span></a> Just looking for php exploits on the Netscalers themselves. <span class="h-card" translate="no"><a href="https://cyberplace.social/@GossiTheDog" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>GossiTheDog</span></a></span> Any thoughts about this? It’s marked 2025-6543 which makes you wonder a bit which vulnerability was exploited at the OM.</p>
gmmds<p><a href="https://mastodonapp.uk/tags/citrixbleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>citrixbleed2</span></a> An interesting article (though some mistakes I think) from the Splunk team on cve-2025-5777. I’m not sure whether it’s clumsy wording but they imply that the later cve-2025-6543 was related to cve-2025-5777 (“The vulnerability was disclosed on June 17, 2025, with Citrix expanding the scope and releasing patches by June 23.”) The date is wrong (should be 25th) though so not sure. <a href="https://www.splunk.com/en_us/blog/security/citrixbleed-vulnerability-detection-mitigation.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">splunk.com/en_us/blog/security</span><span class="invisible">/citrixbleed-vulnerability-detection-mitigation.html</span></a> Cool diagram too.</p>
Kevin Beaumont<p>The Dutch Public Prosecution Service <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> incident rolls on - NRC report on an email from the Director of their IT service, where they say “It is clear that it’s a massive and dramatic incident”. </p><p><a href="https://www.nrc.nl/nieuws/2025/07/22/digitale-werkomgeving-om-inderdaad-gehackt-onderzoek-moet-uitwijzen-welke-informatie-is-gestolen-a4901019" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">nrc.nl/nieuws/2025/07/22/digit</span><span class="invisible">ale-werkomgeving-om-inderdaad-gehackt-onderzoek-moet-uitwijzen-welke-informatie-is-gestolen-a4901019</span></a></p>
gmmds<p>Judging from the script, cve-2025-6543 is all about creating backdoors on the Netscalers. <a href="https://mastodonapp.uk/tags/citrixbleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>citrixbleed2</span></a></p>
gmmds<p>Judging from this <a href="https://www.ncsc.nl/actueel/nieuws/2025/07/22/casus-citrix-kwetsbaarheid" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">ncsc.nl/actueel/nieuws/2025/07</span><span class="invisible">/22/casus-citrix-kwetsbaarheid</span></a> the Dutch Cyber Defence Center is most worried about cve-2025-6543 at the moment. IOC Detection script provided here: <a href="https://github.com/NCSC-NL/citrix-2025" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/NCSC-NL/citrix-2025</span><span class="invisible"></span></a> <a href="https://mastodonapp.uk/tags/citrixbleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>citrixbleed2</span></a></p>
Kevin Beaumont<p>I think this thread exposes something about the cybersecurity industry and org posture btw - it almost all runs on Windows and EDR telemetry, hence why there’s little info on this from vendors (Netscaler is closed box appliance - they’re flying blind) and why orgs aren’t seeing anything, they don’t know how without vendors.</p><p>I keep contacting orgs and they have no idea they are compromised or how to investigate. </p><p> <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a></p>
Kevin Beaumont<p>The NCSC are strongly advising orgs to follow the advice on my blog re <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a>, in hindsight I probably shouldn’t have drawn the logo in MSPaint and titled a section “China goes brrrr”.</p>
Kevin Beaumont<p>The Dutch Public Prosecution Service (OM), which took their systems offline due to <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> on Friday, are saying they will be offline for weeks. <a href="https://nos.nl/artikel/2575857" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">nos.nl/artikel/2575857</span><span class="invisible"></span></a> HT <span class="h-card" translate="no"><a href="https://tacobelllabs.net/@moartn" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>moartn</span></a></span></p>
Kevin Beaumont<p>The Canadian government cyber centre are this weekend recommending all orgs review historic logs for <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> compromise, and reset all user sessions <a href="https://www.cyber.gc.ca/en/alerts-advisories/vulnerabilities-impacting-citrix-netscaler-adc-netscaler-gateway-cve-2025-5349-cve-2025-5777-cve-2025-6543" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">cyber.gc.ca/en/alerts-advisori</span><span class="invisible">es/vulnerabilities-impacting-citrix-netscaler-adc-netscaler-gateway-cve-2025-5349-cve-2025-5777-cve-2025-6543</span></a></p>
gmmds<p>Saturday afternoon, Dutch OM still not reconnected to the Internet after Citrix cve-2025-5777 exploit <a href="https://www.nrc.nl/nieuws/2025/07/19/digitale-werkomgeving-openbaar-ministerie-nog-steeds-uit-de-lucht-a4900727" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">nrc.nl/nieuws/2025/07/19/digit</span><span class="invisible">ale-werkomgeving-openbaar-ministerie-nog-steeds-uit-de-lucht-a4900727</span></a> <a href="https://mastodonapp.uk/tags/citrixbleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>citrixbleed2</span></a></p>
The New Oil<p><a href="https://mastodon.thenewoil.org/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> exploited weeks before PoCs as <a href="https://mastodon.thenewoil.org/tags/Citrix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Citrix</span></a> denied attacks</p><p><a href="https://www.bleepingcomputer.com/news/security/citrix-bleed-2-exploited-weeks-before-pocs-as-citrix-denied-attacks/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/citrix-bleed-2-exploited-weeks-before-pocs-as-citrix-denied-attacks/</span></a></p><p><a href="https://mastodon.thenewoil.org/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a></p>
Kevin Beaumont<p>I've been working with <span class="h-card" translate="no"><a href="https://infosec.exchange/@shadowserver" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>shadowserver</span></a></span> btw, their scan results for <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> now show far more vulnerable systems. Their scanning is independent of mine, logic is improving, more orgs will get notifications. I'm going to try getting victims for notification across too.</p>
Kevin Beaumont<p>Updated <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> scans <a href="https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/GossiTheDog/scannin</span><span class="invisible">g/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt</span></a></p><p>Fields - IP, SSL certification hostnames, Netscaler firmware, if vulnerable to CVE-2025-5777</p><p>I've had a few orgs contest that they're not vulnerable and the scan is wrong. I've assisted each org, and in each case they've been wrong - they'd patched the wrong Netscaler, the passive HA node etc.</p>
Pyrzout :vm:<p>CitrixBleed 2: 100 Organizations Hacked, Thousands of Instances Still Vulnerable <a href="https://www.securityweek.com/citrixbleed-2-100-organizations-hacked-thousands-of-instances-still-vulnerable/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">securityweek.com/citrixbleed-2</span><span class="invisible">-100-organizations-hacked-thousands-of-instances-still-vulnerable/</span></a> <a href="https://social.skynetcloud.site/tags/Vulnerabilities" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vulnerabilities</span></a> <a href="https://social.skynetcloud.site/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> <a href="https://social.skynetcloud.site/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> <a href="https://social.skynetcloud.site/tags/exploited" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>exploited</span></a> <a href="https://social.skynetcloud.site/tags/Citrix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Citrix</span></a></p>
Pyrzout :vm:<p>CitrixBleed 2: 100 Organizations Hacked, Thousands of Instances Still Vulnerable <a href="https://www.securityweek.com/citrixbleed-2-100-organizations-hacked-thousands-of-instances-still-vulnerable/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">securityweek.com/citrixbleed-2</span><span class="invisible">-100-organizations-hacked-thousands-of-instances-still-vulnerable/</span></a> <a href="https://social.skynetcloud.site/tags/Vulnerabilities" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Vulnerabilities</span></a> <a href="https://social.skynetcloud.site/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> <a href="https://social.skynetcloud.site/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> <a href="https://social.skynetcloud.site/tags/exploited" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>exploited</span></a> <a href="https://social.skynetcloud.site/tags/Citrix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Citrix</span></a></p>
gmmds<p><a href="https://mastodonapp.uk/tags/citrixbleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>citrixbleed2</span></a> Latest news from Holland is that the Dutch Public Prosecution office (Openbaar Ministerie) is down (disconnected from Internet) quite likely (from the various reporting) due to an exploited cve-2025-5777. <a href="https://www.nrc.nl/nieuws/2025/07/18/openbaar-ministerie-is-offline-vanwege-ernstige-zorgen-over-ict-beveiliging-datalek-niet-uitgesloten-a4900617" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">nrc.nl/nieuws/2025/07/18/openb</span><span class="invisible">aar-ministerie-is-offline-vanwege-ernstige-zorgen-over-ict-beveiliging-datalek-niet-uitgesloten-a4900617</span></a> The earliest list from <span class="h-card" translate="no"><a href="https://cyberplace.social/@GossiTheDog" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>GossiTheDog</span></a></span> showed at least quite a few instances patched (*.om.nl) so if this is the problem, they weren’t totally remiss in patching.</p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload