Mastodawn

CodingPanic

@codingpanic

83 Followers

244 Following

51 Posts

Geek. Hobby Computer Enthusiast. Information Security Professional.

CodingPanic 1d ago

Eric Bowers 1d ago

Best #internetradio app in the game: Triode by @Iconfactory. I literally use it daily. I get news, entertainment and new music out of it constantly. Has Shazam integration, too. It doesn't get much chatter, but I realize it's probably one of my most used apps!

https://triode.app/

Triode • Listen Everywhere

The best way to enjoy all of your favorite internet radio stations wherever you go.

Triode

CodingPanic Aug 4

boost if you are tired

CodingPanic Jul 27

Wow! This is the most beautiful #Cyberdeck I've ever seen. 😍

#DIY #MakersHour #3DPrint #3DPrinting

https://www.youtube.com/watch?v=cigAxzQGeLg

DIY Dual-Screen Cyberdeck: Sleek Design, Ultimate Functionality

YouTube

CodingPanic Jul 22

Federico Viticci

Pocket Casts for iOS 18 on the left, Apple Podcasts for iOS 26 on the right.

Between the illegible glass and the tab bar that disappears on scroll, I honestly have no idea who can take a look at this and say "Yes, that'll do it. That's good."

Liquid Glass is a mess so far, *especially* on iOS. Actually pushing me to use apps without Liquid Glass.

CodingPanic Jul 20

@haitchfive Jul 20

Hehehe Refinement is serious and expensive work.

https://mdrkeyboard.com/

#retrocomputing #severance

CodingPanic Jul 14

We said goodbye to one of dogs last night. Damnit I’m going to miss you Yoshi. So very much.

CodingPanic Jul 9

Kevin Beaumont Jul 9

I believe Citrix may have made a mistake in the patching instructions for CitrixBleed2 aka CVE-2025-5777.

They say to do the instructions on the left, but they appear to have missed other session types (e.g. AAA) which have session cookies that can be stolen and replayed with CitrixBleed2. On the right is the CitrixBleed1 instructions.

The net impact is, if you patched but a threat actor already took system memory, they can still reuse prior sessions.

Tell anybody you know at Citrix.

CodingPanic Jul 2

@siracusa fired up my G4 mini running 10.3 yesterday and I was instantly reminded of how far Apple has fallen in design. Tahoe’s lack of interface density looks like a Tonka toy in comparison. Interface inflation and bloat is very real.

CodingPanic Jun 30

Playdate Jun 30

A free Playdate app to sideload: xkpd, Paul Straw's xkcd reader—check out the latest comic, go to a specific one, or jump around randomly. Cool use of the new networking APIs!

https://paulstraw.itch.io/xkpd

CodingPanic Jun 25

Daring Fireball Jun 25

Sorry, MacOS Tahoe Beta 2 Still Does the Finder Icon Dirty
https://daringfireball.net/linked/2025/06/24/sorry-macos-tahoe-b2-finder-icon

Sorry, MacOS Tahoe Beta 2 Still Does the Finder Icon Dirty

Link to: https://512pixels.net/2025/06/finder-icon-fixed/

Daring Fireball

×

Kevin Beaumont Jul 11

Kevin Beaumont Jul 11

Some CitrixBleed2 IOCs; this is a cluster of what appears to be China going brrr, going on for weeks.

38.154.237.100
38.54.59.96

Kevin Beaumont Jul 11

Updated CitrixBleed2 scan results of vuln/not vuln
https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt

scanning/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt at main · GossiTheDog/scanning

Contribute to GossiTheDog/scanning development by creating an account on GitHub.

GitHub

Kevin Beaumont Jul 11

CISA is giving all civilian agencies 1 day to remediate CitrixBleed 2. It is encouraging all other organisations in the US to do this too.

https://therecord.media/cisa-orders-agencies-patch-citrix-bleed-2

CISA orders agencies to immediately patch Citrix Bleed 2, saying bug poses ‘unacceptable risk’

The one-day deadline issued by CISA on Thursday appears to be the shortest one ever issued. Federal civilian agencies are typically given three weeks to patch bugs added to the known exploited vulnerability catalog.

Kevin Beaumont Jul 11

Set up lab of Netscalers just now & owned them.

Two learnings:

1) the default logging isn’t enough to know if you’ve been exploited. So if you’re wondering where the victims are, they don’t know they’re victims as checks will come back clean unless they increased logging before. FW logs w/ IOCs fall back option.

2) the Citrix instructions post patch to clear sessions don’t include the correct session types - ICA will just reconnect as you (threat actor) still have the valid NSC_AAAC cookie.

Kevin Beaumont Jul 11

If you ask Citrix support for IOCs for CVE-2025-5777 and they send you a script to run that looks for .php files - they’ve sent you an unrelated script, which has nothing to do with session hijacking or memory overread.

Kevin Beaumont Jul 12

Updated CitrixBleed 2 scan results: https://github.com/GossiTheDog/scanning/blob/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt

It's down from 24% unpatched to 17% unpatched

The results are partial still, the actual numbers still vuln will be higher.

scanning/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt at main · GossiTheDog/scanning

Contribute to GossiTheDog/scanning development by creating an account on GitHub.

GitHub

Kevin Beaumont Jul 13

Imperva WAF have added detection and blocking for CitrixBleed 2 this weekend.

They see it being widely sprayed across the internet today - almost 12 million requests, log4shell level.

The only major vendor I’ve seen who hasn’t added a WAF rule is Citrix - they sell a WAF upsell module for Netscaler, but failed to add detection for their own vulnerability.

Kevin Beaumont Jul 14

Updated Citrix scan results will go on Github in a few days, I've found a bug in the scan results setup which should add ~33% more hosts when fixed.

Spoiler:

Kevin Beaumont Jul 14

CitrixBleed 2 update.

- Citrix have finally, quietly admitted exploitation in the wild -- by not commenting to press and then editing an old blog post and not mentioning it on their security update page.

- Orgs have been under attack from threat actors in Russia and China since June

- It's now under spray and pray, wide exploitation attempts.

https://doublepulsar.com/citrixbleed-2-situation-update-everybody-already-got-owned-503c6d06da9f

CitrixBleed 2 situation update — everybody already got owned

Citrix acknowledge exploitation finally.

Medium

Kevin Beaumont Jul 15

Citrix Netscaler internet scan still running, it's found another 1k vulnerable instances so far - will probably update Github later today or tomorrow morning.

It looks like we're back up to 18% of boxes being still vulnerable when the new list is out. It looks like a lot of orgs are patching from my list.

Kevin Beaumont Jul 15

New CitrixBleed 2 scan data:

https://raw.githubusercontent.com/GossiTheDog/scanning/refs/heads/main/CVE-2025-5777-CitrixBleed2-ElectricBoogaloo-patching.txt

+7000 extra hosts added this round, host list is so large you need to use the raw view to see it.

Next set of data publication likely Friday, a month since the patch became available.

3832 orgs/hosts still unpatched.

Kevin Beaumont Jul 16

GreyNoise blog just out about #CitrixBleed2, they see exploitation from IPs in China from June 23rd targeting specifically Netscaler appliances https://www.greynoise.io/blog/exploitation-citrixbleed-2-cve-2025-5777-before-public-poc

Exploitation of CitrixBleed 2 (CVE-2025-5777) Began Before PoC Was Public

GreyNoise has observed active exploitation attempts against CVE-2025-5777 (CitrixBleed 2), a memory overread vulnerability in Citrix NetScaler. Exploitation began on June 23 — nearly two weeks before a public proof-of-concept was released on July 4.

Kevin Beaumont Jul 16

I’m fairly certain the threat actor is Chinese and they reversed the patch to make the exploit.

Citrix continue to be MIA. They still have no detection guidance for customers, and haven’t told customers the extent of the issue.

Kevin Beaumont Jul 16

With the #CitrixBleed2 patch data I publish it's possible to view the history on Github for each new scan and see when hosts change from vuln to patched.

It's proving incredibly effective at getting orgs to patch. I tried private notifications via HackerOne and such for CitixBleed1 in 2023 and it took months to get orgs to patch. Putting the data public brings accountability for orgs who later get breached - so there's a rush to patch.

It's definitely interesting and may need a scale out.

Kevin Beaumont Jul 17

Citrix have a blog out about hunting for #CitrixBleed2

https://www.netscaler.com/blog/news/evaluating-netscaler-logs-for-indicators-of-attempted-exploitation-of-cve-2025-5777/

It's what was in my earlier blog - look for invalid characters in the username field and duplicate sessions with different IPs

Evaluating NetScaler logs for indicators of attempted exploitation of CVE-2025-5777

Evaluating NetScaler logs for indicators of attempted exploitation of CVE-2025-5777

NetScaler Blog

Kevin Beaumont Jul 17

we gettin' there!

Kevin Beaumont Jul 17

This bit is still incomplete in the patching instructions btw - if it's a HA pair you need to additionally reset other session types or you're still vulnerable to session hijack after patching.

I'm still trying to get Citrix to update the instructions.

Kevin Beaumont Jul 18

The Dutch Public Prosecution Office have shut down their Citrix Netscaler and removed all internet access, Dutch media speculating CitrixBleed 2 exploitation.

https://www.techzine.eu/news/security/133163/dutch-department-of-justice-offline-after-citrix-vulnerability/

Justice minister David van Weel told MPs in a briefing that it appears the weakness had been used by third parties to access the department systems.

The justice ministry said the department had applied Citrix’s recommended patches, but these failed to fully eliminate the flaw. https://www.dutchnews.nl/2025/07/prosecution-department-goes-offline-due-to-software-weakness/

Dutch Department of Justice offline after Citrix vulnerability

The Department of Justice shut down all internet connections on Friday morning after a serious security threat. Analysis showed that hackers had probably

Techzine Global

Kevin Beaumont Jul 18

Again to reiterate the point in the thread - Citrix’s patching instructions don’t include - for example - resetting AAA sessions when AAA cookies are stealable with the vulnerability. So we’re going to see orgs caught with Citrix’s pants down.

Kevin Beaumont Jul 18

Here’s the Dutch gov letter and my translation.

Joshua Small Jul 17

@GossiTheDog Interesting, the IOCs from support were totally different (look for .php files in the web root).

Vickie Gray 🍁Jul 16

@GossiTheDog Definitely. Refreshing transparency.

@GossiTheDog providing the data to cyber insurers to wash against their customer base.

Dick Telder Jul 16

@GossiTheDog
Not sure how often the list is updated, but the orgs I emailed 24h ago are still listed as vulnerable.

@GossiTheDog 😇 sure does work. Any take-down requests yet ? 🤔

CyberFrog Jul 17

@GossiTheDog another day, another example of full disclosure working better than the alternatives lol

OracleOfApollo Jul 16

@GossiTheDog are you using the PoC exploit to determine if systems are vulnerable or basing it off timestamps to infer build numbers instead?

@OracleOfApollo @GossiTheDog probably checking the version or something. I don't see fingerprinting being that difficult and exploit even defanged might be problematic in the legal sense.

@GossiTheDog this is probably a silly question, but are you scanning netblocks most likely to have affected devices first? Eg I'm guessing not a lot likely in AWS, GCP, Azure, China, residential, etc address spaces.

David Penington Jul 15

@GossiTheDog "it looks like a lot of orgs are patching from my list" eek! Organisations hane so little knowledge of what they have that it takes you to tell them?

Christoffer S.Jul 14

@GossiTheDog Perhaps time to refer to it using the more appropriately descriptive word... Wild.

This vulnerability is WILDLY EXPLOITED.

As a bonus "exploited in the wild" can be changed to "wild exploitation observed".

Suzanne Aldrich (she/her)Jul 16

@GossiTheDog Shitrix, amirite?

I’ve been referencing network security device vulnerabilities as the #1 identified breach vector in my latest talk. Guess I need to update my greatest hits already.

https://www.slideshare.net/slideshow/futurecon-seattle-2025-presentation-slides-you-had-one-job/281147331

FutureCon Seattle 2025 Presentation Slides - You Had One Job

In 2024, attackers didn’t need phishing emails to compromise enterprises — they just waited for the latest zero-day in your firewall to be weaponized. Mandiant’s M-Trends 2025 report reveals that most intrusions now start with exploited vulnerabilities in edge security devices. Meanwhile, credentials are stolen by malware faster than MFA can save you, and security vendors themselves are being turned into initial access brokers — unintentionally. This talk is a call to get back to basics. We’ll walk through the top 10 ways organizations are still failing at foundational security, and provide a clear, no-nonsense roadmap for how to fix it. Aligned to NIST, PCI DSS, and C2M2 frameworks, this approach avoids complexity, avoids buzzwords, and avoids blaming users. You don’t need another vendor — you need to configure what you already have properly, document it, and follow through. Because at the end of the day, no one wants to explain to leadership how your “security box” was the reason you got owned. - Download as a PDF or view online for free

SlideShare

Jacob Pedersen Jul 15

@GossiTheDog Ohh boy...

System Adminihater Jul 14

@GossiTheDog "The only major vendor I’ve seen who hasn’t added a WAF rule is Citrix - they sell a WAF upsell module for Netscaler, but failed to add detection for their own vulnerability." WHAAAAAAAA

M Schommer Jul 11

@GossiTheDog
So… could there possibly exist another Citrix 0day that this script looks for?
Right script, different CVE? :D

@musevg @GossiTheDog Well we haven’t seen anything yet about 2025-6543… and that was supposed to be the scary one!

Chad Brigance Jul 11

@GossiTheDog this one is for CVE-2025-6543

@GossiTheDog Looks like the two-digit billion dollar corp that closed my report as "informative, we don't see the issue here" still hasn't updated yet.

@GossiTheDog is this scan still running or has it now completed?

fuzzyfuzzyfungus Jul 11

@GossiTheDog The great thing about "as far as I know"/"not as far as I know" class statements, unlike almost all other types of statements, is that you can increase their accuracy through the easy work of knowing less rather than the arduous task of knowing more.

It's epistemology's any% speedrun strat.