Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
Summary
Ransomware groups, including the Anubis operation, are increasingly leveraging the Citrix Bleed 2 vulnerability (CVE-2025-5777) for initial access into victim networks. Attackers are combining this exploit with the Bring Your Own Vulnerable Driver (BYOVD) technique and compromising supply chain credentials for more sophisticated attacks.
IFF Assessment
The article details advanced techniques and exploits used by ransomware groups to gain access and escalate privileges, posing a direct threat to defenders.
Severity
Citrix Bleed 2 is a critical vulnerability that allows unauthenticated remote code execution, leading to significant compromise of affected systems and data. Its high impact and ease of exploitation contribute to a high CVSS score.
CISA KEV: Listed as actively exploited. Federal patch due: July 11, 2025. Known ransomware use: Known.
Defender Context
Defenders need to prioritize patching or mitigating CVE-2025-5777 in Citrix environments immediately. The reliance on RMM tools and supply chain credentials highlights the importance of strong access controls, credential hygiene, and supply chain security monitoring to counter these evolving attack vectors.