Skip to content
arrow-alt-circle-up icon

Cyber Incident?

arrow-alt-circle-up icon

Call 00800 1744 0000

arrow-alt-circle-up icon

Dutch follows English

 

On June 17 2025, Citrix published an advisory regarding two vulnerabilities [1]. Two critical vulnerabilities in NetScaler ADC and NetScaler Gateway appliances allow attackers to gain unauthorized access to certain parts of the system and lead to an Out-of-bounds Read. We previously emailed you about these vulnerabilities and the advice to apply the patch quickly. Since then, these vulnerabilities have been abused at scale both by nation-state actors and by other actors. If you did not patch in time, you can assume your devices have been compromised and you should act accordingly.

 

Description 

On June 17, Citrix published on the vulnerabilities in their products and made patches available. As early as June 20, a threat actor that is presumably a Chinese nation-state actor started exploiting the vulnerability in a targeted way [2]. On July 4, a public proof-of-concept exploit was published, that enabled everybody to develop exploits and scanners. Since then, numerous actors have exploited the vulnerability, and threat intel providers have used this exploitation to retro-actively spot exploitation prior to July 4, resulting in the intelligence on Chinese actors.

Impact 

The impact of this vulnerability is high: it allows attackers to obtain valid session tokens and hijack existing sessions, or setup new sessions with the privileges of the users associated with the stolen tokens. Exploitation is not trivial but not too hard either.

Risk 

If you did not patch your vulnerable Netscalers prior to July 4, you should assume they have been compromised. If you did not patch your vulnerable Netscalers prior to June 20 and you are potentially of interest to Chinese nation state actors, you should investigate under the assumption of compromise.
 

Mitigation 

Follow the patching advice previously described in our TR [3].

What should you do? 

If you have not patched your vulnerable Netscaler devices yet, we recommend taking them offline directly and investigating compromise of the devices and the IT they give access to. The likelihood of compromise is high at this point, and attackers who gain access through these Netscaler devices will most likely have access to systems behind that for some time now.

If you patched after June 20, we recommend that you investigate your logs for signs of compromise using published indicators [4]. Additionally, you can search for a mismatch between the IP address that started a user session and the IP address from which user sessions were used. This mismatch is an indication of a session being hijacked by an attacker.

If you spot anomalies in IP addresses in this way, or if you find signs of compromise using the recommended searches [4], we recommend that you contact our CERT for an investigation into a possible breach.

 

What will Northwave do? 

Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure.  

We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information. 

 
E-mail: soc@northwave-cybersecurity.com
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
 

Disclaimer applies, see below. 

Sources 

[1]: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420  

[2]: https://doublepulsar.com/citrixbleed-2-situation-update-everybody-already-got-owned-503c6d06da9f

[3]: https://northwave-cybersecurity.com/threat-response-critical-vulnerabilities-in-citrix-netscaler-adc-and-netscaler-gateway

[4]: https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71

 

Disclaimer applies, see below. 

Sources 

[1]: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

[2]: https://advisories.ncsc.nl/advisory?id=NCSC-2025-0204

 

 

Dutch follows English 
 
Dear Reader,
 
Starting on August 16th 2025, the Northwave SOC observed an increasing number of detections on a software called “Manual Finder”. Further investigation of the threat uncovered a multi-stage attack chain leading to the installation of said software. There is limited information available regarding the objective of the threat at present[1][2]. However, given the number of affected devices, we want to share our current findings to help you identify potential risks within your environment.
 
Description 
Based on Northwave’s investigative findings, installation of ManualFinder is facilitated through other applications that currently advertise themselves as PDF editors. These in turn are distributed through a number of different identified channels, mostly malvertising (malicious advertising).
The second stage of the execution consists of the covert download, installation and execution of “Manual Finder”. It remains unclear what triggers the introduction of the second stage as there seems to be no clear pattern. “Manual Finder” remains persistent on infected devices through scheduled tasks and registry keys, while proceeding to maintain communication with a command and control server.
 
Impact 
At this time, the impact of this attack remains unclear. This may change at any given time as regular and persistent Command-and-Control communication is maintained between infected hosts and several external servers. A threat actor can leverage this channel of communication to stage additional attacks against affected devices.
 
Risk 
While direct impact is currently unclear, we anticipate that the established foothold could develop into a HIGH impact incident and are therefore assuming a HIGH risk as of now.
 
Mitigation 
In case you encounter this software present on a machine, our recommendation is to re-image the device to ensure any trace of the software is removed, since it has both persistency and C2 built-in.
 
What should you do? 
The current entry vector is human interaction. Infection can be prevented by spreading awareness about the threat and by urging users to reach out to their internal IT department when unsure of whether an application is safe.
 
What will Northwave do? 
We will monitor any developments regarding this arising threat and collect IOCs that are incorporated into our detection platform.
If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
 

E-mail: soc@northwave-cybersecurity.com
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000 
 
Disclaimer applies, see below.
 
Sources 
Beste lezer,
 
Sinds 16 augustus j.l. heeft het Northwave SOC meerdere detecties gezien op software genaamd “Manual Finder”. Bij verder onderzoek kwam aan het licht dat installatie van deze software onderdeel is van een ‘multi-stage' aanvalsketen. Ondanks dat nog niet alle informatie bij ons bekend is, willen wij u vanwege het aantal detecties dat wij hebben gezien toch op de hoogte brengen van onze uitkomsten.
 
Beschrijving 
Gebaseerd op ons eigen onderzoek wordt ManualFinder door andere applicaties geïnstalleerd. Deze applicaties doen zich voor als PDF-bewerkers en worden verspreid via verschillende kanalen, voornamelijk advertenties (malvertising).
Vanaf 16 augustus 2025 heeft het Northwave SOC een toenemend aantal detecties waargenomen van software genaamd “Manual Finder”. Verdere analyse van de dreiging onthulde een aanvalsketen in meerdere fasen die leidt tot de installatie van deze software. Er is momenteel beperkte informatie beschikbaar over het doel van deze dreiging [1][2]. Gezien het aantal getroffen apparaten willen we onze huidige bevindingen delen om u te helpen mogelijke risico’s binnen uw omgeving te identificeren.
 
Beschrijving
Op basis van onderzoeksresultaten van Northwave wordt de installatie van Manual Finder mogelijk gemaakt via geïnfecteerde software die digitaal is ondertekend. Deze applicaties presenteren zich momenteel als PDF-editors en worden verspreid via verschillende geïdentificeerde kanalen, waaronder malvertising (kwaadaardige advertenties).
De tweede fase van de aanval bestaat uit het heimelijk downloaden, installeren en uitvoeren van “Manual Finder”. Het is nog onduidelijk wat de tweede fase triggert, aangezien er geen duidelijk patroon lijkt te zijn. “Manual Finder” blijft actief op geïnfecteerde apparaten via ‘scheduled tasks’ en registersleutels, en onderhoudt communicatie met een command-and-controlserver.
 
Impact
Op dit moment is de impact van deze aanval nog onduidelijk. Dit kan op elk moment veranderen, aangezien er regelmatige en aanhoudende communicatie plaatsvindt tussen geïnfecteerde hosts en meerdere servers die worden beheerd door de aanvaller. Een aanvaller kan dit communicatiekanaal gebruiken om aanvullende aanvallen uit te voeren op getroffen apparaten.
 
Risico
Hoewel de directe impact momenteel onduidelijk is, verwachten we dat na initiële toegang tot een device een incident met een hoge impact mogelijk zou kunnen zijn. Daarom gaan we uit van een hoog risico op dit moment.
 
Maatregelen
Als u deze software aantreft op een apparaat, raden wij aan om het apparaat opnieuw te installeren (re-imaging) om er zeker van te zijn dat alle sporen van de software worden verwijderd, aangezien deze zowel persistentie als C2-functionaliteit bevat.
 
Wat kunt u doen?
De toegangsvector is momenteel menselijke interactie. Infectie kan worden voorkomen door bewustwording over de dreiging te vergroten en gebruikers aan te moedigen contact op te nemen met hun interne IT-afdeling wanneer ze twijfelen of een applicatie veilig is.
 
Wat doet Northwave? 
Wij blijven de ontwikkelingen rondom deze dreiging monitoren en verzamelen “Indicators of Compromise” (IOCs) die worden opgenomen in ons detectieplatform. Als er belangrijke nieuwe informatie omtrent deze dreiging bekend wordt, stellen wij u hiervan op de hoogte. Als u behoefte heeft aan extra informatie zijn we zowel telefonisch als via email bereikbaar.
 
E-mail: soc@northwave-cybersecurity.com
Heeft u nu een incident? Bel ons Incident Response Team: 00800 1744 0000  
  
Disclaimer is van toepassing, zie onder. 
 
Bronnen 
 

Disclaimer

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We will not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.
 
.