Pennsylvania Attorney General's Office Disrupted by Citrix NetScaler Exploit

The Pennsylvania Attorney General’s Office (AGO) has confirmed a cyberattack that disrupted critical systems, including email services, landline phones, and its official website, since August 11, 2025. The incident has been linked to a known vulnerability in Citrix NetScaler devices (CVE-2025-5777), marking another high-profile exploitation of this flaw following similar attacks on Dutch infrastructure and Caribbean courts^1,2.

Technical Impact and Response

The attack rendered the AGO’s primary communication channels inoperable for multiple days, forcing staff to implement temporary email solutions for urgent communications. Cybersecurity researcher Kevin Beaumont had previously identified exposed NetScaler devices tied to the AGO, suggesting potential reconnaissance prior to exploitation³. Attorney General Dave Sunday acknowledged the disruption as “frustrating” while commending IT teams working to restore services. Despite the outage, prosecutors maintained casework operations through alternative methods⁴.

The Citrix NetScaler vulnerability (CVE-2025-5777), colloquially termed “Citrix Bleed 2,” allows unauthenticated remote code execution through improper input validation in ADC and Gateway appliances. This follows a pattern of attacks leveraging Citrix vulnerabilities, with at least three other government entities compromised through the same vector in 2025⁵.

Broader Threat Context

This incident occurs amid heightened attacks against U.S. legal systems, including a suspected Russian breach of federal courts earlier this year. The Pennsylvania AGO outage shares technical similarities with recent incidents at Virginia’s Attorney General’s Office and Cleveland municipal courts, suggesting possible coordinated targeting of government legal infrastructure⁶.

Organizations still running unpatched Citrix NetScaler versions 13.1-49.15 and earlier are particularly vulnerable. The Cybersecurity and Infrastructure Security Agency (CISA) has reiterated its advisory to apply Citrix’s emergency patches released July 2025, which address CVE-2025-5777 through improved session token validation¹.

Operational Recommendations

For organizations using Citrix NetScaler devices:

Immediate patching to version 13.1-49.16 or later
Network segmentation of Citrix management interfaces
Review of all NetScaler session tokens issued since June 2025
Implementation of strict egress filtering for NetScaler management traffic

The Pennsylvania AGO has not disclosed whether data exfiltration occurred during the incident. However, the duration of the outage suggests potential post-exploitation activity, consistent with similar Citrix Bleed 2 attacks that typically involve lateral movement and credential harvesting^3,5.

Conclusion

This incident underscores the persistent risk posed by unpatched internet-facing systems in government environments. The repeated exploitation of Citrix vulnerabilities highlights the need for accelerated patch cycles in critical infrastructure. As threat actors continue targeting legal systems, organizations must prioritize vulnerability management and maintain offline contingency plans for essential operations.