CitrixBleed 2 (CVE-2025-5777): The Seven-Step Playbook From NetScaler Memory Leak to DragonForce Ransomware in Under an Hour
Huntress investigated six intrusions across unrelated organizations in the first half of 2026 and found the same repeatable seven-step attack chain every time: CitrixBleed 2 memory overread steals a live session token, MFA is bypassed entirely, SYSTEM escalation via registry-symlink/AppMgmt trick, rogue admin account created, ScreenConnect and Zoho Assist deployed for persistence, and in the most advanced case, DragonForce ransomware deployed in under an hour from initial access. CVE-2025-5777 CVSS 9.3. An IAB is productizing this as a runbook. Sophos tracks the same cluster as STAC3725. Patch NetScaler and terminate all outstanding sessions now — harvested tokens survive a patch.
