Citrix NetScaler scans are on the rise, with a coordinated reconnaissance campaign targeting Citrix NetScaler infrastructure over the past week using tens of thousands of residential proxies to discover login panels. This surge in activity, observed between January 28 and February 2, also focused on enumerating versions of the product, indicating an organized discovery effort.
Threat monitoring platform GreyNoise traced the source of the scanning traffic to more than 63,000 distinct IPs that launched 111,834 sessions. According to the researchers, 79% of the traffic was aimed at Citrix Gateway honeypots.
Roughly 64% of the traffic came from residential proxies, with IPs spread across the globe, appearing as legitimate consumer ISP addresses and bypassing reputation-based filtering. The remaining 36% came from a single Azure IP address.
The activity strongly indicates pre-exploitation infrastructure mapping, rather than random internet scanning, GreyNoise says.
“The specific targeting of the EPA [Endpoint Analysis] setup file path suggests interest in version-specific exploit development or vulnerability validation against known Citrix ADC weaknesses.”
The two indicators of malicious intent are obvious, with the most active one generating 109,942 sessions from 63,189 unique IPs and targeting the authentication interface at ‘/logon/LogonPoint/index.html’ to identify exposed Citrix login panels at scale.
The second indicator, observed on February 1st, was a six-hour sprint with 10 IPs launching 1,892 sessions focused on the URL path ‘/epa/scripts/win/nsepa_setup.exe’ to enumerate Citrix versions via EPA artifacts. This wave of Citrix NetScaler scans highlights a critical security concern for businesses relying on this infrastructure.
Understanding the Citrix NetScaler Scans
GreyNoise notes that the attacker employed a user agent for Chrome 50, released in early 2016. Targeting the EPA setup file may indicate an “interest in version-specific exploit development or vulnerability validation against known Citrix ADC weaknesses.”
“The rapid onset and completion suggest a targeted scanning sprint that may have been triggered by discovery of vulnerable EPA configurations or intelligence about deployment windows,” GreyNoise says.
The most recent critical-severity flaws impacting Citrix products are CVE-2025-5777, aka ‘CitrixBleed 2,’ and CVE-2025-5775, a remote code execution vulnerability that was exploited as a zero-day. This emphasizes the importance of securing Citrix NetScaler infrastructure against potential threats.
Detection and Mitigation Strategies
GreyNoise lists several detection opportunities for this latest activity, including:
- Monitoring for the blackbox-exporter user agent originating from non-authorized sources
- Alerting on external access to /epa/scripts/win/nsepa_setup.exe
- Flagging rapid enumeration of /logon/LogonPoint/ paths
- Watching for HEAD requests against Citrix Gateway endpoints
- Tracking outdated browser fingerprints, specifically Chrome 50 (circa 2016)
Additionally, the researchers recommend that system administrators review the necessity of internet-facing Citrix Gateways, restrict access to the /epa/scripts/ directory, disable version disclosure in HTTP responses, and monitor for anomalous access from residential ISPs in unexpected regions. Staying vigilant is crucial in preventing potential breaches. related Fraudulents news
Focus on Citrix Security
The recent wave of Citrix NetScaler scans serves as a stark reminder of the persistent cybersecurity threats facing organizations. System administrators must prioritize patching and staying up to date on the latest security protocols.
GreyNoise has also shared the IP addresses used to launch the scanning activity.
“Proactive monitoring and robust security measures are vital to safeguard sensitive data and maintain operational integrity.”
These Citrix NetScaler scans highlight the need for constant vigilance and rapid response to potential vulnerabilities. By implementing the recommended detection opportunities and mitigation strategies, organizations can significantly reduce their risk exposure.
Source: BleepingComputer




