According to NextGov, it obtained a screenshot of an incident overview presentation that confirmed “a ‘widespread cybersecurity incident’ at the Federal Emergency Management Agency [that] allowed hackers to make off with employee data from both the disaster management office and U.S. Customs and Border Protection.”

The incident reportedly started on June 22, 2025, when “hackers accessed Citrix virtual desktop infrastructure inside FEMA using compromised login credentials,” which appear to be associated with the CitrixBleed 2.0 vulnerability. Data was exfiltrated from Region 6 servers, which include Alabama, Louisiana, New Mexico, Oklahoma, Texas, and 70 tribal nations. Department of Homeland Security (DHS) staff was notified on July 7 and, on July 14, the threat actor, using stolen credentials, attempted to install virtual networking software to exfiltrate data.

Remediation efforts were taken on July 16 and September 5. All FEMA employees were required to change their passwords. According to the presentation, DHS and FEMA confirmed on September 10 that employee data had been exfiltrated from the Region 6 servers through the Citrix vulnerability.