CitrixBleed 2: Seven Steps From NetScaler Memory Leak to DragonForce Ransomware in Under an Hour — Patch AND Terminate All Sessions
Huntress investigated 6 intrusions and found the same playbook every time. CVE-2025-5777 leaks heap memory via 5,000+ malformed pre-auth requests, exposing active session tokens. Token replayed — MFA irrelevant. SYSTEM in minutes via registry-symlink trick. Rogue admin account. ScreenConnect + Zoho Assist persistence. DragonForce ransomware in under an hour. Critical: stolen tokens survive patching — terminate all sessions now.
Read Full Brief →Threats & Attacks
5,937 login failures = leaked heap memory, not wrong passwords. Session token stolen. MFA bypassed. SYSTEM in minutes. Same playbook across 6 unrelated victims. Stolen tokens survive patching — terminate all sessions now.
Autonomous LLM: initial access to database encryption to ransom demand. No human at keyboard. Key displayed once, never stored. Ran on victim’s own stolen API keys. Cost near zero.
Six-instruction race window. Root 99% of the time. Reaches Android from Chrome’s renderer sandbox. Third LPE in two weeks. Patch and reboot now.
Normal prompt. MCP response. Sandbox binary overwritten. No click. Full machine. 50%+ Fortune 500. Update to Cursor 3.0 now.
Payload in DNS TXT record — never in repo. Static analysis, AI agent, human review: all blind. “Claude Code never decided to open a shell. It decided to fix an error.”
Bypasses TOTP, push, SMS. Token survives password resets. Helix now targeting SharePoint with same technique + vishing. Conditional Access doesn’t block by default.
Intelligence & Deep Dive
The DataWater Intelligence Brief
Weekly CISO-level threat analysis — breaking vulnerabilities, technical depth, zero noise.
