In summary: Ransomware groups are exploiting a vulnerability in Citrix NetScaler devices, known as Citrix Bleed 2, as a gateway into corporate networks. If your small or medium-sized business uses Citrix remote access, an update and a few checks are often enough to close the door.
What Happened
A report published this week by the security firm Arctic Wolf, picked up on July 3 by The Hacker News, describes how affiliates of the Anubis ransomware exploit the Citrix Bleed 2 vulnerability (CVE-2025-5777) to gain initial access to targeted networks. The vulnerability affects NetScaler ADC and Gateway devices, which many companies use to provide remote access to their applications. A carefully crafted request to the device’s authentication page can, in some cases, retrieve valid session tokens and allow an attacker to log in as a legitimate user.
Once inside the system, the attackers move stealthily. They install common remote administration tools such as ScreenConnect, Zoho Assist, or UltraVNC, which are difficult to distinguish from normal network management activities. In one observed case, the installer came from a domain named azuremicrosoft[.]us, designed to mimic Microsoft Azure services. The attackers then disable Windows Defender’s real-time protection, remove security agents, and initiate encryption in less than a day. Some even irreversibly delete files.
According to the Ransomware.Live platform, France is among the countries most affected by Anubis, behind the United States and the United Kingdom. The same report highlights other groups that are gaining momentum, including The Gentlemen, which exploits a vulnerability in a third-party driver to disable antivirus software, according to analyses by Kaspersky and Expel. There is currently no indication of a campaign specifically targeting French SMEs, but the technique has been documented and is reproducible.
Does this apply to me?
The first question is simple: Does your company use Citrix NetScaler ADC or Gateway equipment for remote access—often set up for remote work or to make a business application available externally? If the answer is no, this specific vulnerability does not directly affect you, and you can treat this as a friendly reminder.
If the answer is yes, or if you’re not sure, you fall within the scope of the assessment. The risk does not depend on your size but on your exposure: a single unpatched NetScaler device, accessible from the Internet, is enough to provide an entry point. SMEs and mid-sized companies that have outsourced their infrastructure to a service provider are also affected, as responsibility for updates must be clearly assigned. Any uncertainty about who manages what is, in itself, a red flag that needs to be addressed.
What to Do Now
1. Verify that a NetScaler is present and check its patch level. Ask your IT team or managed service provider if a Citrix NetScaler ADC or Gateway appliance is in use, and whether it is running a version patched against CVE-2025-5777. Citrix released the patches several months ago. If yours is not up to date, this is the top priority.
2. Terminate active sessions after the update. Applying the patch is not enough if session tokens have already been stolen. After the update, terminate any ongoing ICA and PCoIP sessions to invalidate any access credentials that may have already been obtained by an attacker.
3. Look for signs of intrusion and strengthen access controls. Identify any unplanned remote administration tools (ScreenConnect, Zoho Assist, UltraVNC), any suspicious domains that mimic Microsoft, and any unexplained deactivation of Windows Defender. Enable multi-factor authentication for remote access if you haven’t already done so. This assessment aligns with the measures required by the NIS2 Directive for affected companies.
Not sure about your exposure?
Get an update from an IT Systems expert
A quick assessment of your exposure and the steps you should take. No obligation.
In a nutshell
Citrix Bleed 2 is not a theoretical vulnerability: ransomware groups are currently using it to gain access to networks, and France is among the targets. The right course of action is not to shut everything down, but to check one specific thing: Are your Citrix remote access connections up to date, and are your sessions properly terminated? An infrastructure that is monitored and patched in a timely manner makes this type of attack much more difficult.
Frequently asked questions
I don't have Citrix—am I safe? For this specific vulnerability, yes. But the same intrusion logic applies to any exposed remote access (VPN, application portal): regular updates remain the best protection.
My IT service provider manages my servers—do I need to do anything? All you need to do is send a message: ask them to confirm in writing that your NetScaler devices have been patched against CVE-2025-5777 and that the sessions have been reset.
Should you pay if you're infected? No. Paying doesn't guarantee anything, and some of these groups destroy the files even after receiving the ransom. Tested backups and reporting the incident remain the best course of action.
— Samir Amara, CEO — IT Systèmes



