Critical Exploitation of Citrix Bleed 2 (CVE‑2025‑5777) by Ransomware Groups
What It Is — The Citrix Bleed 2 flaw (CVE‑2025‑5777) is a remote code execution vulnerability in Citrix ADC/Gateway that allows an unauthenticated attacker to execute arbitrary commands on the underlying operating system.
Exploitability — Active exploitation has been confirmed in the wild by the Anubis ransomware affiliate network; proof‑of‑concept code is publicly available. CVSS v3.1 base score 9.8 (Critical).
Affected Products — Citrix ADC (formerly NetScaler) and Citrix Gateway versions prior to the vendor‑issued patches released in March 2026.
Why It Matters for Compliance & Audit Readiness
- Control‑mapping pressure: The exploit bypasses network‑level segmentation controls (SOC 2 CC6.1 – System Operations) that auditors expect to see documented and continuously monitored.
- Evidence of due‑diligence: Demonstrating that you have a process to detect unpatched critical CVEs and capture remediation evidence is now a de‑facto audit requirement for enterprise buyers.
- Defensible audit trail: Continuous collection of patch‑status and RMM‑tool usage logs provides the audit‑ready artifacts needed to prove “secure configuration management” under SOC 2.
Recommended Actions
- Apply Citrix’s March 2026 security update to all ADC/Gateway instances immediately.
- Enable automated vulnerability scanning that flags CVE‑2025‑5777 and maps the finding to the SOC 2 CC6.1 control.
- Capture patch‑deployment logs and RMM‑tool activity as immutable evidence for audit reviewers.
- Review RMM‑tool access policies; enforce least‑privilege and MFA for any remote‑management accounts.
Source: The Hacker News – Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials