shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

244
active users

#citrixbleed2

0 posts0 participants0 posts today
Kevin Beaumont<p>The Dutch Public Prosecution Service Citrix Netscaler incident is rumbling on. They are working on service recovery. </p><p><a href="https://www.databreachtoday.com/dutch-prosecutors-recover-from-suspected-russian-hack-a-29129" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">databreachtoday.com/dutch-pros</span><span class="invisible">ecutors-recover-from-suspected-russian-hack-a-29129</span></a></p><p> <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a></p>
gmmds<p><span class="h-card" translate="no"><a href="https://cyberplace.social/@GossiTheDog" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>GossiTheDog</span></a></span> <a href="https://mastodonapp.uk/tags/citrixbleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>citrixbleed2</span></a> The Dutch Cyber Centre script has been updated with an extra check for xhtml files in /var/netscaler <a href="https://github.com/NCSC-NL/citrix-2025/blob/main/TLPCLEAR_check_script_cve-2025-6543-v1.7.sh" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/NCSC-NL/citrix-2025</span><span class="invisible">/blob/main/TLPCLEAR_check_script_cve-2025-6543-v1.7.sh</span></a></p>
Kevin Beaumont<p>Emerging situation to be aware of - some of the <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> session hijacking victims are also victims of webshell implants via a different vuln, CVE-2025-6543.</p><p>Script to check for Netscaler implants: <a href="https://github.com/NCSC-NL/citrix-2025/blob/main/TLPCLEAR_check_script_cve-2025-6543-v1.6.sh" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/NCSC-NL/citrix-2025</span><span class="invisible">/blob/main/TLPCLEAR_check_script_cve-2025-6543-v1.6.sh</span></a></p>
gmmds<p><a href="https://mastodonapp.uk/tags/citrixbleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>citrixbleed2</span></a> Hmm the Dutch Cyber Center script is back: <a href="https://github.com/NCSC-NL/citrix-2025" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">github.com/NCSC-NL/citrix-2025</span><span class="invisible"></span></a> Just looking for php exploits on the Netscalers themselves. <span class="h-card" translate="no"><a href="https://cyberplace.social/@GossiTheDog" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>GossiTheDog</span></a></span> Any thoughts about this? It’s marked 2025-6543 which makes you wonder a bit which vulnerability was exploited at the OM.</p>
Kevin Beaumont<p>The Dutch Public Prosecution Service <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> incident rolls on - NRC report on an email from the Director of their IT service, where they say “It is clear that it’s a massive and dramatic incident”. </p><p><a href="https://www.nrc.nl/nieuws/2025/07/22/digitale-werkomgeving-om-inderdaad-gehackt-onderzoek-moet-uitwijzen-welke-informatie-is-gestolen-a4901019" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">nrc.nl/nieuws/2025/07/22/digit</span><span class="invisible">ale-werkomgeving-om-inderdaad-gehackt-onderzoek-moet-uitwijzen-welke-informatie-is-gestolen-a4901019</span></a></p>
Kevin Beaumont<p>I think this thread exposes something about the cybersecurity industry and org posture btw - it almost all runs on Windows and EDR telemetry, hence why there’s little info on this from vendors (Netscaler is closed box appliance - they’re flying blind) and why orgs aren’t seeing anything, they don’t know how without vendors.</p><p>I keep contacting orgs and they have no idea they are compromised or how to investigate. </p><p> <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a></p>
Kevin Beaumont<p>The NCSC are strongly advising orgs to follow the advice on my blog re <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a>, in hindsight I probably shouldn’t have drawn the logo in MSPaint and titled a section “China goes brrrr”.</p>
Kevin Beaumont<p>The Dutch Public Prosecution Service (OM), which took their systems offline due to <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> on Friday, are saying they will be offline for weeks. <a href="https://nos.nl/artikel/2575857" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">nos.nl/artikel/2575857</span><span class="invisible"></span></a> HT <span class="h-card" translate="no"><a href="https://tacobelllabs.net/@moartn" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>moartn</span></a></span></p>
Kevin Beaumont<p>The Canadian government cyber centre are this weekend recommending all orgs review historic logs for <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> compromise, and reset all user sessions <a href="https://www.cyber.gc.ca/en/alerts-advisories/vulnerabilities-impacting-citrix-netscaler-adc-netscaler-gateway-cve-2025-5349-cve-2025-5777-cve-2025-6543" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">cyber.gc.ca/en/alerts-advisori</span><span class="invisible">es/vulnerabilities-impacting-citrix-netscaler-adc-netscaler-gateway-cve-2025-5349-cve-2025-5777-cve-2025-6543</span></a></p>
Kevin Beaumont<p>I've been working with <span class="h-card" translate="no"><a href="https://infosec.exchange/@shadowserver" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>shadowserver</span></a></span> btw, their scan results for <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> now show far more vulnerable systems. Their scanning is independent of mine, logic is improving, more orgs will get notifications. I'm going to try getting victims for notification across too.</p>
Kevin Beaumont<p>Updated <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> scans <a href="https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/GossiTheDog/scannin</span><span class="invisible">g/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt</span></a></p><p>Fields - IP, SSL certification hostnames, Netscaler firmware, if vulnerable to CVE-2025-5777</p><p>I've had a few orgs contest that they're not vulnerable and the scan is wrong. I've assisted each org, and in each case they've been wrong - they'd patched the wrong Netscaler, the passive HA node etc.</p>
Kevin Beaumont<p>Citrix have a blog out about hunting for <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> </p><p><a href="https://www.netscaler.com/blog/news/evaluating-netscaler-logs-for-indicators-of-attempted-exploitation-of-cve-2025-5777/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">netscaler.com/blog/news/evalua</span><span class="invisible">ting-netscaler-logs-for-indicators-of-attempted-exploitation-of-cve-2025-5777/</span></a></p><p>It's what was in my earlier blog - look for invalid characters in the username field and duplicate sessions with different IPs</p>
Kevin Beaumont<p>With the <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> patch data I publish it's possible to view the history on Github for each new scan and see when hosts change from vuln to patched.</p><p>It's proving incredibly effective at getting orgs to patch. I tried private notifications via HackerOne and such for CitixBleed1 in 2023 and it took months to get orgs to patch. Putting the data public brings accountability for orgs who later get breached - so there's a rush to patch. </p><p>It's definitely interesting and may need a scale out.</p>
Kevin Beaumont<p>I’m fairly certain the threat actor is Chinese and they reversed the patch to make the exploit. </p><p>Citrix continue to be MIA. They still have no detection guidance for customers, and haven’t told customers the extent of the issue. </p><p> <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a></p>
Kevin Beaumont<p>GreyNoise blog just out about <a href="https://cyberplace.social/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a>, they see exploitation from IPs in China from June 23rd targeting specifically Netscaler appliances <a href="https://www.greynoise.io/blog/exploitation-citrixbleed-2-cve-2025-5777-before-public-poc" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">greynoise.io/blog/exploitation</span><span class="invisible">-citrixbleed-2-cve-2025-5777-before-public-poc</span></a></p>
Xavier «X» Santolaria :verified_paw: :donor:<p>🔥 Latest issue of my curated <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> and <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> list of resources for week #28/2025 is out!</p><p>It includes the following and much more:</p><p>🇬🇧 Teenagers arrested in connection with cyber attacks on M&amp;S and the Co-op;</p><p>🇺🇸 🫣 <a href="https://infosec.exchange/tags/AI" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AI</span></a> voice clones have hit the White House AGAIN;</p><p>🩸Exploit for <a href="https://infosec.exchange/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> Released;</p><p>🇪🇺 Trend where European authorities are detaining individuals on behalf of the U.S. for cybercrime-related accusations;</p><p>📲 eSIMs can be cloned to spy on mobile communications;</p><p>🇨🇳 🇺🇸 Chinese hackers suspected in <a href="https://infosec.exchange/tags/breach" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>breach</span></a> of powerful Washington DC law firm;</p><p>🚙 Millions of cars exposed through Bluetooth Flaw;</p><p>📨 Subscribe to the <a href="https://infosec.exchange/tags/infosecMASHUP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosecMASHUP</span></a> newsletter to have it piping hot in your inbox every week-end ⬇️</p><p><a href="https://infosec-mashup.santolaria.net/p/infosec-mashup-28-2025" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec-mashup.santolaria.net/</span><span class="invisible">p/infosec-mashup-28-2025</span></a></p>
Jon Greig<p>In a rare move, CISA gave federal agencies just one day to patch Citrix Netscaler bug CVE-2025-5777</p><p>Patch ASAP <a href="https://ioc.exchange/tags/CitrixBleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CitrixBleed2</span></a> <a href="https://ioc.exchange/tags/2Citrix2Bloody" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2Citrix2Bloody</span></a></p><p><a href="https://therecord.media/cisa-orders-agencies-patch-citrix-bleed-2" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">therecord.media/cisa-orders-ag</span><span class="invisible">encies-patch-citrix-bleed-2</span></a></p>
K. Reid Wightman :verified: 🌻 :donor: :clippy:<p><a href="https://infosec.exchange/tags/citrixbleed2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>citrixbleed2</span></a></p>