Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access
Initial Access covers phishing, exploits, and stolen credentials used to enter systems; MFA, patching, and segmentation reduce the resulting foothold.
Search across headline titles and summaries.
Background for this topic.
Initial access is the attacker’s first successful entry into an organization’s systems, accounts, or network. In threat-model terms, it covers paths such as phishing, exploitation of internet-facing applications or devices, use of valid stolen credentials, and compromise of a supplier or trusted service. The objective is to obtain a foothold that can support later actions, including privilege escalation, internal movement, or data access; initial access does not necessarily mean the attacker has administrative control.
The main security concern is reducing the number and reliability of these entry paths. Priorities include promptly fixing vulnerabilities in externally exposed systems, enforcing phishing-resistant multifactor authentication for sensitive access, limiting exposed services and unnecessary privileges, and using email, endpoint, and authentication telemetry to detect suspicious entry. Security teams should preserve relevant logs and investigate unusual logins or newly created access promptly, because the time between initial compromise and follow-on activity may be short.
Weekly headline count for the current query.
Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access
An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible Marimo network using a recently disclosed vulnerability
Google on Tuesday revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting a now-patched critical security flaw in RARLAB WinRAR to establish initial access and deploy a diverse array of payloads
Multiple threat actors, both state-sponsored and financially motivated, are exploiting the CVE-2025-8088 high-severity vulnerability in WinRAR for initial access and to deliver various malicious payloads. [...]
A ransomware gang exploited the critical React2Shell vulnerability (CVE-2025-55182) to gain initial access to corporate networks and deployed the file-encrypting malware less than a minute later. [...]
In addition to using CVE-2018-0171 and other Cisco bugs to break into telecom networks, the China-sponsored APT is also using using stolen login credentials for initial access.
A recently disclosed Microsoft SharePoint remote code execution (RCE) vulnerability tracked as CVE-2024-38094 is being exploited to gain initial access to corporate networks. [...]
Hundreds of initial access brokers and cybercrime gangs are jumping on the max-critical CVE-2024-1709 authentication bypass, threatening orgs and downstream customers.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning about hackers actively exploiting a critical vulnerability in Adobe ColdFusion identified as CVE-2023-26360 to gain initial access to government servers. [...]