On August 11, 2025, the Pennsylvania Office of Attorney General (PA AG) issued a statement on its Facebook account regarding a cyber incident that had affected PA AG systems, including its website, email accounts, and phone lines.

The PA AG has not shared a specific cause of the incident. However, security researcher Kevin Beaumont recognized in July that the PA AG was using Citrix NetScaler instances that were vulnerable to a security flaw that Beaumont coined as Citrix Bleed 2 (CVE-2025-5777).

Citrix NetScaler, now known as Citrix NetScaler Application Delivery Controller (Citrix NetScaler ADC), is a platform that secures network traffic to help employees remotely connect to company systems securely. NetScaler decides which servers should handle which users to minimize bottlenecks and enable applications to load faster.

Citrix Bleed 2 is a known vulnerability that affects certain instances of NetScaler. It allows cyber attackers to read memory contents within NetScaler to steal session tokens, which function as temporary access passes. With access to session tokens, cyber attackers can bypass security features such as multifactor authentication and hijack sessions to pose as a legitimate user and access sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) added Citrix Bleed 2 to its Known Exploited Vulnerabilities list on July 10, 2025. The agency also set a 24-hour deadline for federal agencies to patch the flaw or discontinue use of affected systems until the patch could be made, recognizing the vulnerability’s potential for severe damage. CISA’s Acting Executive Assistant Director stated that the vulnerability “poses a significant, unacceptable risk to the security of the federal civilian enterprise.”

Since the PA AG has not yet confirmed a cause of the cyber incident, it is possible that the PA AG incident did not stem from this vulnerability. However, companies using affected NetScaler ADC and Gateway systems, as listed by Citrix, should still install updated versions with patches as soon as possible. Citrix also recommends running two commands (“kill icaconnection -all” and “kill pcoipConnection -all”) to terminate all active ICA and PCoIP sessions after all NetScaler appliances have been updated. 

Regardless of the cause of the PA AG cyber-attack, promptly applying security patches is critical for any organization. Keeping systems up to date helps close vulnerabilities before attackers can exploit them. Patching may not be glamorous, but it is powerful. One timely update could be the barrier between a threat actor and your organization’s secure systems.