Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials

Summary

Ransomware groups, including the Anubis operation, are increasingly leveraging the Citrix Bleed 2 vulnerability (CVE-2025-5777) for initial access into victim networks. Attackers are combining this exploit with the Bring Your Own Vulnerable Driver (BYOVD) technique and compromising supply chain credentials for more sophisticated attacks.

IFF Assessment

FOE

The article details advanced techniques and exploits used by ransomware groups to gain access and escalate privileges, posing a direct threat to defenders.

Severity

7.5 High

Citrix Bleed 2 is a critical vulnerability that allows unauthenticated remote code execution, leading to significant compromise of affected systems and data. Its high impact and ease of exploitation contribute to a high CVSS score.

CISA KEV: Listed as actively exploited. Federal patch due: July 11, 2025. Known ransomware use: Known.

Defender Context

Defenders need to prioritize patching or mitigating CVE-2025-5777 in Citrix environments immediately. The reliance on RMM tools and supply chain credentials highlights the importance of strong access controls, credential hygiene, and supply chain security monitoring to counter these evolving attack vectors.

Read Full Story →