CodingPanic

@codingpanic
83 Followers
244 Following
49 Posts
Geek. Hobby Computer Enthusiast. Information Security Professional.
CodingPanic3d ago
Sargoth6d ago
boost if you are tired
CodingPanicJul 27
LAYEREDJul 27

Wow! This is the most beautiful #Cyberdeck I've ever seen. 😍

#DIY #MakersHour #3DPrint #3DPrinting

https://www.youtube.com/watch?v=cigAxzQGeLg

DIY Dual-Screen Cyberdeck: Sleek Design, Ultimate Functionality

YouTube
CodingPanicJul 22
Federico Viticci Jul 22

Pocket Casts for iOS 18 on the left, Apple Podcasts for iOS 26 on the right.

Between the illegible glass and the tab bar that disappears on scroll, I honestly have no idea who can take a look at this and say "Yes, that'll do it. That's good."

Liquid Glass is a mess so far, *especially* on iOS. Actually pushing me to use apps without Liquid Glass.

CodingPanicJul 20
@haitchfiveJul 20

Hehehe Refinement is serious and expensive work.

https://mdrkeyboard.com/

#retrocomputing #severance

CodingPanicJul 14
We said goodbye to one of dogs last night. Damnit I’m going to miss you Yoshi. So very much.
CodingPanicJul 9
Show threadKevin BeaumontJul 9

I believe Citrix may have made a mistake in the patching instructions for CitrixBleed2 aka CVE-2025-5777.

They say to do the instructions on the left, but they appear to have missed other session types (e.g. AAA) which have session cookies that can be stolen and replayed with CitrixBleed2. On the right is the CitrixBleed1 instructions.

The net impact is, if you patched but a threat actor already took system memory, they can still reuse prior sessions.

Tell anybody you know at Citrix.

CodingPanicJul 2
@siracusa fired up my G4 mini running 10.3 yesterday and I was instantly reminded of how far Apple has fallen in design. Tahoe’s lack of interface density looks like a Tonka toy in comparison. Interface inflation and bloat is very real.
CodingPanicJun 30
PlaydateJun 30

A free Playdate app to sideload: xkpd, Paul Straw's xkcd reader—check out the latest comic, go to a specific one, or jump around randomly. Cool use of the new networking APIs!

https://paulstraw.itch.io/xkpd

CodingPanicJun 25
Daring FireballJun 25
Sorry, MacOS Tahoe Beta 2 Still Does the Finder Icon Dirty
https://daringfireball.net/linked/2025/06/24/sorry-macos-tahoe-b2-finder-icon
Sorry, MacOS Tahoe Beta 2 Still Does the Finder Icon Dirty

Link to: https://512pixels.net/2025/06/finder-icon-fixed/

Daring Fireball
CodingPanicJun 24
@geerlingguy crazy question… I’m looking at switching some of my systems to Wayland… but graphical remote access seems to mostly be limited to RDP on Ubuntu. I’m currently using vnc extensively… do you know of a vnc server that works with Wayland, that isn’t wayvnc? (It needs wlroots compositors)
×
Show threadKevin BeaumontJul 9

I believe Citrix may have made a mistake in the patching instructions for CitrixBleed2 aka CVE-2025-5777.

They say to do the instructions on the left, but they appear to have missed other session types (e.g. AAA) which have session cookies that can be stolen and replayed with CitrixBleed2. On the right is the CitrixBleed1 instructions.

The net impact is, if you patched but a threat actor already took system memory, they can still reuse prior sessions.

Tell anybody you know at Citrix.

Show threadKevin BeaumontJul 10
CISA have modified the CVE-2025-5777 entry to link to my blog 🙌 I’m hoping this gets more visibility as a bunch of us can see from Netflow ongoing threat actor Netscaler sessions to.. sensitive orgs.
Show threadKevin BeaumontJul 10

CVE-2025-5777 aka CitrixBleed 2 has been added to CISA KEV now over evidence of active exploitation.

Citrix are still declining to comment about evidence of exploitation as of writing.

https://www.cisa.gov/news-events/alerts/2025/07/10/cisa-adds-one-known-exploited-vulnerability-catalog

Show threadKevin BeaumontJul 11
https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/
Now everybody but Citrix agrees that CitrixBleed 2 is under exploit

: Add CISA to the list

The Register
Show threadKevin BeaumontJul 11

This is how Citrix are styling Citrix Bleed 2 btw. In the blog there’s no technical details or detection details or acknowledgement of exploitation. They also directly blame NIST for their CVE description.

From Netflow I can see active victims - including systems owned by the US federal government - so strap in to see where this goes.

Show threadKevin BeaumontJul 11
Show threadKevin BeaumontJul 11

Some CitrixBleed2 IOCs; this is a cluster of what appears to be China going brrr, going on for weeks.

38.154.237.100
38.54.59.96

#threatintel

Show threadKevin BeaumontJul 11
Updated CitrixBleed2 scan results of vuln/not vuln
https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt
scanning/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt at main ¡ GossiTheDog/scanning

Contribute to GossiTheDog/scanning development by creating an account on GitHub.

GitHub
Show threadKevin BeaumontJul 11

CISA is giving all civilian agencies 1 day to remediate CitrixBleed 2. It is encouraging all other organisations in the US to do this too.

https://therecord.media/cisa-orders-agencies-patch-citrix-bleed-2

CISA orders agencies to immediately patch Citrix Bleed 2, saying bug poses ‘unacceptable risk’

The one-day deadline issued by CISA on Thursday appears to be the shortest one ever issued. Federal civilian agencies are typically given three weeks to patch bugs added to the known exploited vulnerability catalog.

Show threadKevin BeaumontJul 11

Set up lab of Netscalers just now & owned them.

Two learnings:

1) the default logging isn’t enough to know if you’ve been exploited. So if you’re wondering where the victims are, they don’t know they’re victims as checks will come back clean unless they increased logging before. FW logs w/ IOCs fall back option.

2) the Citrix instructions post patch to clear sessions don’t include the correct session types - ICA will just reconnect as you (threat actor) still have the valid NSC_AAAC cookie.

Show threadKevin BeaumontJul 11
If you ask Citrix support for IOCs for CVE-2025-5777 and they send you a script to run that looks for .php files - they’ve sent you an unrelated script, which has nothing to do with session hijacking or memory overread.
Show threadKevin BeaumontJul 12

Updated CitrixBleed 2 scan results: https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt

It's down from 24% unpatched to 17% unpatched

The results are partial still, the actual numbers still vuln will be higher.

scanning/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt at main ¡ GossiTheDog/scanning

Contribute to GossiTheDog/scanning development by creating an account on GitHub.

GitHub
Show threadKevin BeaumontJul 13

Imperva WAF have added detection and blocking for CitrixBleed 2 this weekend.

They see it being widely sprayed across the internet today - almost 12 million requests, log4shell level.

The only major vendor I’ve seen who hasn’t added a WAF rule is Citrix - they sell a WAF upsell module for Netscaler, but failed to add detection for their own vulnerability.

Show threadKevin BeaumontJul 14

Updated Citrix scan results will go on Github in a few days, I've found a bug in the scan results setup which should add ~33% more hosts when fixed.

Spoiler:

Show threadKevin BeaumontJul 14

CitrixBleed 2 update.

- Citrix have finally, quietly admitted exploitation in the wild -- by not commenting to press and then editing an old blog post and not mentioning it on their security update page.

- Orgs have been under attack from threat actors in Russia and China since June

- It's now under spray and pray, wide exploitation attempts.

https://doublepulsar.com/citrixbleed-2-situation-update-everybody-already-got-owned-503c6d06da9f

CitrixBleed 2 situation update — everybody already got owned

The ‘good news’, I suspect, is that most orgs will be too lacking in logs to have evidence. So they get to hope nothing too bad happened, I guess. The reason for this is the exploitation activity…

DoublePulsar
Show threadKevin BeaumontJul 15

Citrix Netscaler internet scan still running, it's found another 1k vulnerable instances so far - will probably update Github later today or tomorrow morning.

It looks like we're back up to 18% of boxes being still vulnerable when the new list is out. It looks like a lot of orgs are patching from my list.

Show threadKevin BeaumontJul 15

New CitrixBleed 2 scan data:

https://raw.githubusercontent.com/GossiTheDog/scanning/refs/heads/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt

+7000 extra hosts added this round, host list is so large you need to use the raw view to see it.

Next set of data publication likely Friday, a month since the patch became available.

3832 orgs/hosts still unpatched.

Show threadKevin BeaumontJul 16
GreyNoise blog just out about #CitrixBleed2, they see exploitation from IPs in China from June 23rd targeting specifically Netscaler appliances https://www.greynoise.io/blog/exploitation-citrixbleed-2-cve-2025-5777-before-public-poc
Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public

GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept was released on July 4.

Show threadKevin BeaumontJul 16

I’m fairly certain the threat actor is Chinese and they reversed the patch to make the exploit.

Citrix continue to be MIA. They still have no detection guidance for customers, and haven’t told customers the extent of the issue.

#CitrixBleed2

Show threadKevin BeaumontJul 16

With the #CitrixBleed2 patch data I publish it's possible to view the history on Github for each new scan and see when hosts change from vuln to patched.

It's proving incredibly effective at getting orgs to patch. I tried private notifications via HackerOne and such for CitixBleed1 in 2023 and it took months to get orgs to patch. Putting the data public brings accountability for orgs who later get breached - so there's a rush to patch.

It's definitely interesting and may need a scale out.

Show threadKevin BeaumontJul 17

Citrix have a blog out about hunting for #CitrixBleed2

https://www.netscaler.com/blog/news/evaluating-netscaler-logs-for-indicators-of-attempted-exploitation-of-cve-2025-5777/

It's what was in my earlier blog - look for invalid characters in the username field and duplicate sessions with different IPs

Evaluating NetScaler logs for indicators of attempted exploitation of CVE-2025-5777

Evaluating NetScaler logs for indicators of attempted exploitation of CVE-2025-5777

NetScaler Blog
Show threadVickie Gray 🍁Jul 16
@GossiTheDog Definitely. Refreshing transparency.
Show threadJPJul 16
@GossiTheDog providing the data to cyber insurers to wash against their customer base.
Show threadDick TelderJul 16
@GossiTheDog
Not sure how often the list is updated, but the orgs I emailed 24h ago are still listed as vulnerable.
Show threadleakixJul 17
@GossiTheDog 😇 sure does work. Any take-down requests yet ? 🤔
Show threadCyberFrogJul 17
@GossiTheDog another day, another example of full disclosure working better than the alternatives lol
Show threadOracleOfApolloJul 16
@GossiTheDog are you using the PoC exploit to determine if systems are vulnerable or basing it off timestamps to infer build numbers instead?
Show threadAlexJul 16
@OracleOfApollo @GossiTheDog probably checking the version or something. I don't see fingerprinting being that difficult and exploit even defanged might be problematic in the legal sense.
Show threadAlan Miller  đŸ‡şđŸ‡ŚJul 15
@GossiTheDog this is probably a silly question, but are you scanning netblocks most likely to have affected devices first? Eg I'm guessing not a lot likely in AWS, GCP, Azure, China, residential, etc address spaces.
Show threadDavid PeningtonJul 15
@GossiTheDog "it looks like a lot of orgs are patching from my list" eek! Organisations hane so little knowledge of what they have that it takes you to tell them?
Show threadChristoffer S.Jul 14

@GossiTheDog Perhaps time to refer to it using the more appropriately descriptive word... Wild.

This vulnerability is WILDLY EXPLOITED.

As a bonus "exploited in the wild" can be changed to "wild exploitation observed".

Show threadSuzanne Aldrich (she/her)Jul 16

@GossiTheDog Shitrix, amirite?

I’ve been referencing network security device vulnerabilities as the #1 identified breach vector in my latest talk. Guess I need to update my greatest hits already.

https://www.slideshare.net/slideshow/futurecon-seattle-2025-presentation-slides-you-had-one-job/281147331

FutureCon Seattle 2025 Presentation Slides - You Had One Job

In 2024, attackers didn’t need phishing emails to compromise enterprises — they just waited for the latest zero-day in your firewall to be weaponized. Mandiant’s M-Trends 2025 report reveals that most intrusions now start with exploited vulnerabilities in edge security devices. Meanwhile, credentials are stolen by malware faster than MFA can save you, and security vendors themselves are being turned into initial access brokers — unintentionally. This talk is a call to get back to basics. We’ll walk through the top 10 ways organizations are still failing at foundational security, and provide a clear, no-nonsense roadmap for how to fix it. Aligned to NIST, PCI DSS, and C2M2 frameworks, this approach avoids complexity, avoids buzzwords, and avoids blaming users. You don’t need another vendor — you need to configure what you already have properly, document it, and follow through. Because at the end of the day, no one wants to explain to leadership how your “security box” was the reason you got owned. - Download as a PDF or view online for free

SlideShare
Show threadJacob PedersenJul 15
@GossiTheDog Ohh boy... 
Show threadSystem AdminihaterJul 14
@GossiTheDog "The only major vendor I’ve seen who hasn’t added a WAF rule is Citrix - they sell a WAF upsell module for Netscaler, but failed to add detection for their own vulnerability." WHAAAAAAAA
Show threadM SchommerJul 11
@GossiTheDog
So… could there possibly exist another Citrix 0day that this script looks for?
Right script, different CVE? :D
Show threadgmmdsJul 11
@musevg @GossiTheDog Well we haven’t seen anything yet about 2025-6543… and that was supposed to be the scary one!
Show threadChad BriganceJul 11
@GossiTheDog this one is for CVE-2025-6543
Show threadDarsesJul 11
@GossiTheDog Looks like the two-digit billion dollar corp that closed my report as "informative, we don't see the issue here" still hasn't updated yet.
Show threadMr_KJul 11
@GossiTheDog is this scan still running or has it now completed?
Show threadJoĂŁo Tiago Rebelo (NAFO J-121)Jul 11
@GossiTheDog #Alt4You #AltText two screen captures from Citrix website, the other one from Akamai website. The first one says:
"Can I fix these vulnerabilities using Web Application Firewall signatures?
No, it is not possible to fix the vulnerabilities with Web Application Firewall signatures.
The second one, posted later, says:
"App & API Protector mitigation
In response to CitrixBleed 2, the WAF Threat Research Team released a new Rapid Rule on July 7, 2025, with a default action set to "Alert":
- 3000967-Citrix NetScaler Memory Disclosure Detected (CVE-2025-5777)".
Show threadgmmdsJul 11
@jt_rebelo @GossiTheDog The second one isn’t Citrix - that’s Akamai.
Show threadJoĂŁo Tiago Rebelo (NAFO J-121)Jul 11
@gmmds thanks, corrected. @GossiTheDog
Show threadfuzzyfuzzyfungusJul 11

@GossiTheDog The great thing about "as far as I know"/"not as far as I know" class statements, unlike almost all other types of statements, is that you can increase their accuracy through the easy work of knowing less rather than the arduous task of knowing more.

It's epistemology's any% speedrun strat.

Show threadSteve ScottJul 11

@GossiTheDog this feels very much like a corp Comms team in crisis management mode, thinking obfuscation will make the situation better. It's a natural reaction, but not one that helps mitigation.

A brutally honest 'we screwed up, here is what we can share without making the situation worse' along with some willingness to offer hotfixes rather than full releases is the better path forward.

On the plus side, I did get to read their latest Tolly report for lolz

Show threadWouter HindriksJul 11
@GossiTheDog How are you monitoring this traffic? I remember you making a similar statement on the Ingram Micro case.
Show threadChilly  đŸ›Ąď¸ Jul 10
@GossiTheDog
Yaayy
Show threadPhilJul 11
@GossiTheDog Congratulations
Show threadEmoryJul 9
@GossiTheDog oh my g-d they did it again
Show threadfuzzyfuzzyfungusJul 10
@GossiTheDog Obviously this is a Ripley Protocol type of situation; but is it known how long the session cookies would be expected to remain valid if not explicitly purged? Configurable and wide variation in plausible values? Life of connection until manual or enforced disconnect? Fixed or very likely default number of minutes after successful authentication?