The Netherlands’ Nationwide Cyber Safety Centre (NCSC) is warning {that a} essential Citrix NetScaler vulnerability tracked as CVE-2025-6543 was exploited to breach “essential organizations” within the nation.
The essential flaw is a reminiscence overflow bug that permits unintended management circulate or a denial of service state on impacted units.
“Reminiscence overflow vulnerability resulting in unintended management circulate and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN digital server, ICA Proxy, CVPN, RDP Proxy) OR AAA digital server,” explains Citrix’s advisory.
Citrix issued a bulletin in regards to the flaw on June 25, 2025, warning that the next variations have been weak to ongoing assaults:
- 14.1 earlier than 14.1-47.46
- 13.1 earlier than 13.1-59.19
- 13.1-FIPS and 13.1-NDcPP earlier than 13.1-37.236
- 12.1 and 13.0 → Finish-of-Life however nonetheless weak (no fixes supplied, improve to a more moderen launch advisable)
Whereas the flaw was initially regarded as exploited in denial of service (DoS) assaults, the NCSC’s warning now signifies that the attackers exploited it to realize distant code execution.
The NCSC’s warning about CVE-2025-6543 confirms that hackers have leveraged the flaw to breach a number of entities within the nation, after which wiped traces of the assaults to eradicate proof of the intrusions.
“The NCSC has decided that a number of essential organizations within the Netherlands have been efficiently attacked by way of a vulnerability recognized as CVE-2025-6543 in Citrix NetScaler,” reads the discover.
“The NCSC assesses the assaults because the work of a number of actors with a complicated modus operandi. The vulnerability was exploited as a zero-day, and traces have been actively eliminated to hide compromise at affected organizations.”
Zero-day exploitation
In line with the NCSC, these assaults occurred since no less than early Could, practically two months earlier than Citrix printed its bulletin and made patches obtainable, in order that they have been exploited as zero days for an prolonged interval.
Though the company didn’t identify any of the impacted organizations, the Openbaar Ministerie (OM), which is the Public Prosecution Service of the Netherlands, disclosed a compromise on July 18, noting the invention got here after receiving an NCSC alert.
The group suffered extreme operational disruption in consequence, progressively returning on-line and firing up its electronic mail servers solely final week.
To deal with the chance from CVE-2025-6543, organizations are advisable to improve to NetScaler ADC and NetScaler Gateway 14.1 model 14.1-47.46 and later, model 13.1-59.19 and later, and ADC 13.1-FIPS and 13.1-NDcPP model 13.1-37.236 and later.
After putting in the updates, it’s essential to finish all energetic periods with:
kill icaconnection -all
kill pcoipConnection -all
kill aaa session -all
kill rdp connection -all
clear lb persistentSessionsThis similar mitigation recommendation was given for the actively exploited Citrix Bleed 2 flaw, tracked as CVE-2025-5777. It’s unclear whether or not that flaw was additionally abused in assaults, or if it is the identical replace course of for each flaws.
The NCSC advises system directors to search for indicators of compromise, comparable to an atypical file creation date, duplicate file names with totally different extensions, and the absence of PHP information within the folders.
The cybersecurity company has additionally launched a script on GitHub that may scan units for uncommon PHP and XHTML information, in addition to different IOCs.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration traits.
