CitrixBleed 2 vulnerability is being exploited. Hawaiian Airlines discloses cyberattack.

Summary

By the CyberWire staff

At a glance.

CitrixBleed 2 vulnerability is being exploited.
Hawaiian Airlines discloses cyberattack.
Phishing campaign abuses Microsoft 365's Direct Send to spoof internal users.

CitrixBleed 2 vulnerability is being exploited.

A critical Citrix vulnerability (CVE-2025-5777) that was patched last week is now being exploited in the wild, according to researchers at ReliaQuest. The vulnerability, which has been compared to 2023's CitrixBleed flaw, can allow attackers to bypass authentication measures and hijack user sessions.

ReliaQuest explains, "Citrix Bleed 2 mirrors the original in its ability to bypass authentication and facilitate session hijacking, but it introduces new risks by targeting session tokens instead of session cookies. Unlike session cookies, which are often tied to short-lived browser sessions, session tokens are typically used in broader authentication frameworks, such as API calls or persistent application sessions. This means that attackers could potentially maintain access longer and operate across multiple systems without detection, even after the user has terminated the browser session."

Users of NetScaler ADC and NetScaler Gateway should apply the patches as soon as possible.

Control what runs in your environment. Reduce your attack surface.

ThreatLocker helps organizations reduce risk by allowing trusted applications to run while limiting their access to only the resources they need. It’s a straightforward, default deny approach that gives you more control and visibility—without slowing down operations. Explore how ThreatLocker can help simplify your security strategy.

Hawaiian Airlines discloses cyberattack.

Hawaiian Airlines yesterday disclosed a "cybersecurity event" that disrupted some of its IT systems, Infosecurity Magazine reports. The airline said in a statement, "We continue to safely operate our full flight schedule, and guest travel is not impacted. As we navigate the ongoing event, we remain in contact with the appropriate experts and federal authorities."

The airline hasn't shared details on the nature of the incident, but Reuters notes that the impact and response suggest that ransomware may have been involved. The Federal Aviation Administration (FAA) told Reuters that its safety office is in touch with Hawaiian Airlines, and reaffirmed that "[t]here has been no impact on safety, and the airline continues to operate safely."

Workload security and next-generation firewall resources.

As application and service environments become more complex, traditional security practices based on static rules can struggle to adapt. Security and DevSecOps teams need zero-trust security solutions to mitigate issues that arise from running intricate workloads.

AWS uniquely integrates with Palo Alto Networks’ VM Series Next-Generation Firewall (NGFW) and App ID functionality for a scalable and centralized zero-trust security layer. Read an in-depth article for a technical overview on implementing them today. Read the article here.

Phishing campaign abuses Microsoft 365's Direct Send to spoof internal users.

Varonis warns that attackers are abusing Microsoft 365's Direct Send feature to send phishing emails that impersonate internal users. Direct Send is designed to allow devices such as printers to send emails within a Microsoft 365 tenant without authentication. Varonis explains, "This setup is intended for internal use only. But here’s the catch: no authentication is required. That means attackers don’t need credentials, tokens, or access to the tenant — just a few publicly available details. Identifying vulnerable organizations is trivial. Smart host addresses follow a predictable format...and internal email formats (like first.last@company[.]com) are often easy to guess or scrape from public sources, social media, or previous breaches. Once a threat actor has the domain and a valid recipient, they can send spoofed emails that appear to originate from inside the organization, without ever logging in or touching the tenant."

What do you think of N2K CyberWire?

Your insights help us grow. Our annual audience survey is your chance to shape how N2K can better meet your needs. Complete the survey here.

Notes.

Today's issue includes events affecting , and the United States.

Attacks, Threats, and Vulnerabilities

Cyberattack on Norwegian Dam Highlights Password Exposure Risks (Claroty) The breach of a Norwegian dam and fish farm underscores a key truth for security and risk leaders: it’s not always the sophisticated attacks that cause the most disruption; it’s the simple, overlooked exposures. Remote access, authentication hygiene, and clear ownership of cyber-physical systems should be routine a...

Retail giant Ahold Delhaize says data breach affects 2.2 million people (BleepingComputer) Ahold Delhaize, one of the world's largest food retail chains, is notifying over 2.2 million individuals that their personal, financial, and health information was stolen in a November ransomware attack that impacted its U.S. systems.

Legislation, Policy, and Regulation

NSA’s Patrick Ware takes over as top civilian at U.S. Cyber Command (The Record) The new executive director of U.S. Cyber Command — the No. 3 position at the digital warfighting organization — is NSA veteran Patrick Ware.

Litigation, Investigation, and Law Enforcement

Scam compounds labeled a 'living nightmare' as Cambodian government accused of turning a blind eye (The Record) Amnesty International said it identified dozens of scam compounds in Cambodia, calling the government's response to the nexus of cybercrime and human trafficking "grossly inadequate."

Many data brokers aren’t registering across state lines, privacy groups say (CyberScoop) Hundreds of companies registered as data brokers in one U.S. state are not recognized as such in other states with similar disclosure laws, according to a new analysis by the Privacy Rights Clearinghouse and the Electronic Frontier Foundation.

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

fwd:cloudsec North America 2025 (Denver, Colorado, USA, Jun 30 - Jul 1, 2025) fwd:cloudsec is a non-profit conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security features, the pros and cons of different security strategies, and generally the types of things cloud practitioners want to know, but that don't fit neatly into a vendor conference schedule.

International Space Station Research and Development Conference (Seattle, Washington, USA, Jul 28 - 31, 2025) At ISSRDC, learn how to harness the International Space Station (ISS) and the unique conditions of space to help solve your most pressing research and development (R&D) challenges.

DEF CON 33 (Las Vegas, Nevada, USA, Aug 7 - 10, 2025) DEF CON is one of the oldest continuously running hacker conventions around, and also one of the largest.

39th Annual Small Satellite Conference (Salt Lake City, Utah, USA, Aug 11 - 13, 2025) During the 39th Annual Small Satellite Conference, we will delve into the innovations, demands, and cross-market collaborations shaping the future of satellite capabilities and driving new opportunities allowing us to collectively reach new horizons.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 06.27.25