Citrix Breach Incident Score: Analysis & Impact (CIT1770201552)

In this Rankiteo incident briefing, we review the Citrix breach identified under incident ID CIT1770201552.

The analysis begins with a detailed overview of Citrix's information like the linkedin page: https://www.linkedin.com/company/citrix, the number of followers: 581823, the industry type: Software Development and the number of employees: 4268 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 450 and after the incident was 445 with a difference of -5 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Citrix and their customers.

On 01 February 2026, a cybersecurity incident called "Large-Scale Citrix ADC Gateway Reconnaissance Campaign Uncovered" came to light.

A sophisticated reconnaissance campaign targeting Citrix ADC (NetScaler) Gateway infrastructure has been detected, involving over 63,000 residential proxy IPs and AWS cloud instances to map login panels and enumerate software versions.

The disruption is felt across the environment, affecting Citrix ADC (NetScaler) Gateway infrastructure.

Formal response steps have not been shared publicly yet.

The case underscores how Ongoing, and recommending next steps like Patch or mitigate known Citrix vulnerabilities (CVE-2025-5777, CVE-2025-5775) and monitor for suspicious scanning activity targeting Citrix ADC Gateway infrastructure.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Reconnaissance tactic, the analysis identified Active Scanning (T1595) with high confidence (95%), with evidence including 111,834 scanning sessions targeting Citrix Gateway honeypots, and probed the `/logon/LogonPoint/index.html` authentication interface, Active Scanning: Vulnerability Scanning (T1595.002) with high confidence (90%), with evidence including version Disclosure Sprint targeting `/epa/scripts/win/nsepa_setup.exe` to identify Citrix EPA versions, and focus on version-specific exploits (CVE-2025-5777, CVE-2025-5775), Gather Victim Network Information (T1590) with moderate to high confidence (85%), with evidence including 79% of traffic focused on Citrix Gateway honeypots, and mapping login panels and enumerating software versions, and Gather Victim Network Information: Network Security Appliances (T1590.002) with moderate to high confidence (80%), with evidence including targeted Citrix ADC (NetScaler) Gateway infrastructure, and probing for `/logon/LogonPoint/index.html` and EPA setup paths. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with moderate to high confidence (70%), with evidence including potential interest in version-specific exploits (CVE-2025-5777, CVE-2025-5775), and targeting unpatched or misconfigured Citrix ADC deployments. Under the Resource Development tactic, the analysis identified Acquire Infrastructure: Virtual Private Server (T1583.003) with moderate to high confidence (80%), with evidence including 10 AWS instances in us-west-1/us-west-2 used for scanning, and 63,000 residential proxy IPs and AWS cloud instances and Compromise Infrastructure: Botnet (T1584.005) with moderate to high confidence (75%), with evidence including 63,189 unique IPs used for probing, and 64% of traffic from residential proxies across multiple countries. Under the Defense Evasion tactic, the analysis identified Proxy (T1090) with high confidence (90%), with evidence including 63,000 residential proxy IPs used to evade geographic blocking, and unique browser fingerprints to evade reputation-based blocking and Valid Accounts: Cloud Accounts (T1078.004) with moderate confidence (60%), with evidence including aWS cloud instances used for scanning, and microsoft Azure IP (52.139.3.76) involved in login panel discovery. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.