Citrix: Threat Actors Conduct Widespread Scanning for Exposed Citrix NetScaler Login Pages

Large-Scale Citrix ADC Gateway Reconnaissance Campaign Uncovered

A sophisticated reconnaissance campaign targeting Citrix ADC (NetScaler) Gateway infrastructure has been detected, involving over 63,000 residential proxy IPs and AWS cloud instances to map login panels and enumerate software versions. The operation, which generated 111,834 scanning sessions, was highly targeted 79% of traffic focused on Citrix Gateway honeypots indicating deliberate pre-exploitation preparation rather than random scanning.

The campaign unfolded in two phases:

Login Panel Discovery (Primary Phase)
- 109,942 sessions from 63,189 unique IPs probed the /logon/LogonPoint/index.html authentication interface.
- 64% of traffic originated from residential proxies across Vietnam, Argentina, Mexico, Algeria, and Iraq, while a single Microsoft Azure IP in Canada accounted for 36%.
- Threat actors used unique browser fingerprints and residential proxies to evade geographic and reputation-based blocking.
Version Disclosure Sprint (AWS Phase)
- On February 1, 2026, 10 AWS instances in us-west-1/us-west-2 executed a six-hour scan, sending 1,892 requests to /epa/scripts/win/nsepa_setup.exe to identify Citrix Endpoint Analysis (EPA) versions.
- Activity peaked at 362 sessions around 02:00 UTC before tapering off by 05:00 UTC.
- All requests used an outdated Chrome 50 user agent (2016) and uniform HTTP fingerprints, suggesting a coordinated effort to exploit known vulnerabilities.

Researchers from GreyNoise noted the focus on the EPA setup file path indicates potential interest in version-specific exploits, particularly given recent critical Citrix vulnerabilities:

CVE-2025-5777 ("CitrixBleed 2")
CVE-2025-5775 (remote code execution, exploited as a zero-day).

Detection and Indicators of Compromise (IOCs)

User agents: blackbox-exporter (unauthorized sources), Chrome 50 (2016)
Targeted paths: /logon/LogonPoint/, /epa/scripts/win/nsepa_setup.exe
AWS IPs (Version Disclosure):
44.251.121.190, 13.57.253.3, 50.18.232.85, 52.36.139.223, 54.201.20.56, 54.153.0.164, 54.176.178.13, 18.237.26.188, 54.219.42.163, 18.246.164.162
Azure IP (Login Panel Discovery): 52.139.3.76

The campaign’s scale and precision suggest threat actors are actively preparing for potential exploitation, likely targeting unpatched or misconfigured Citrix ADC deployments.

Source: https://gbhackers.com/exposed-citrix-netscaler-login-pages/

Citrix cybersecurity rating report: https://www.rankiteo.com/company/citrix

"id": "CIT1770201552",
"linkid": "citrix",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'type': 'Organizations using Citrix ADC Gateway'}],
 'attack_vector': 'Network Scanning',
 'date_detected': '2026-02-01',
 'description': 'A sophisticated reconnaissance campaign targeting Citrix ADC '
                '(NetScaler) Gateway infrastructure has been detected, '
                'involving over 63,000 residential proxy IPs and AWS cloud '
                'instances to map login panels and enumerate software '
                'versions. The operation generated 111,834 scanning sessions, '
                'with 79% of traffic focused on Citrix Gateway honeypots, '
                'indicating deliberate pre-exploitation preparation rather '
                'than random scanning.',
 'impact': {'systems_affected': 'Citrix ADC (NetScaler) Gateway '
                                'infrastructure'},
 'initial_access_broker': {'high_value_targets': 'Citrix ADC Gateway '
                                                 'deployments',
                           'reconnaissance_period': 'Two-phase campaign (Login '
                                                    'Panel Discovery and '
                                                    'Version Disclosure '
                                                    'Sprint)'},
 'investigation_status': 'Ongoing',
 'motivation': 'Pre-exploitation preparation',
 'post_incident_analysis': {'root_causes': 'Unpatched or misconfigured Citrix '
                                           'ADC deployments'},
 'recommendations': 'Patch or mitigate known Citrix vulnerabilities '
                    '(CVE-2025-5777, CVE-2025-5775) and monitor for suspicious '
                    'scanning activity targeting Citrix ADC Gateway '
                    'infrastructure.',
 'references': [{'source': 'GreyNoise'}],
 'response': {'third_party_assistance': 'GreyNoise'},
 'title': 'Large-Scale Citrix ADC Gateway Reconnaissance Campaign Uncovered',
 'type': 'Reconnaissance',
 'vulnerability_exploited': ['CVE-2025-5777 (CitrixBleed 2)', 'CVE-2025-5775']}

Citrix: Threat Actors Conduct Widespread Scanning for Exposed Citrix NetScaler Login Pages

Trivy and European Commission: European Commission breach exposed data of 30 EU entities, CERT-EU says

Hong Kong Hospital Authority: Probe launched after Hospital Authority data breach involving 56,000 patients

Brokk: Brokk purportedly hacked by Play ransomware, data leaked