Cyberattack compromises FEMA and Border Protection employee data through CitrixBleed 2.0 flaw

The Federal Emergency Management Agency (FEMA) and U.S. Customs and Border Protection (CBP) have reported a data breach that exposed sensitive employee information from both agencies. 

The incident, lasted several months during the summer of 2025, exploited a critical vulnerability in Citrix Systems' remote access software.

The cyberattack began on June 22, 2025, when attackers breached the FEMA's Citrix virtual desktop infrastructure. The attackers apparently exploited CVE-2025-5777, a pre-authentication memory disclosure vulnerability dubbed "CitrixBleed 2.0". 

The breach targeted FEMA's Region 6 servers, which encompass Arkansas, Louisiana, New Mexico, Oklahoma, and Texas, as well as nearly 70 tribal nations. The attacker successfully gained access to Microsoft's Active Directory, and from there stole information about employees at both FEMA and Customs and Border Protection. 

The Department of Homeland Security (DHS), which oversees both agencies, was notified of the breach on July 7, 2025. The threat actors continued to operate within the compromised systems for weeks. On July 14, the intruders attempted to install virtual private network software using an account with high-level access in an effort to remotely break into additional databases and extract more information. Exposed data includes:

• Names
• Contact details
• Potentially financial information
• Potentially security clearances

The number of affected individuals has not been disclosed. All FEMA employees were required to change their passwords. On September 10, 2025, a DHS Task Force confirmed that employee data had been stolen from both FEMA and CBP through the Citrix vulnerability.

DHS Secretary Kristi Noem announced on August 29 that she had terminated FEMA Chief Information Officer Charles Armstrong, Chief Information Security Officer Gregory Edwards, and 22 other FEMA IT employees who were blamed for security failures.