Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs

The Netherlands’ Nationwide Cyber Safety Centre (NCSC) is warning {that a} important Citrix NetScaler vulnerability tracked as CVE-2025-6543 was exploited to breach “important organizations” within the nation.

The important flaw is a reminiscence overflow bug that permits unintended management circulation or a denial of service state on impacted gadgets.

“Reminiscence overflow vulnerability resulting in unintended management circulation and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN digital server, ICA Proxy, CVPN, RDP Proxy) OR AAA digital server,” explains Citrix’s advisory.

Citrix issued a bulletin concerning the flaw on June 25, 2025, warning that the next variations had been susceptible to ongoing assaults:

• 14.1 earlier than 14.1-47.46
• 13.1 earlier than 13.1-59.19
• 13.1-FIPS and 13.1-NDcPP earlier than 13.1-37.236
• 12.1 and 13.0 → Finish-of-Life however nonetheless susceptible (no fixes supplied, improve to a more recent launch really useful)

Whereas the flaw was initially considered exploited in denial of service (DoS) assaults, the NCSC’s warning now signifies that the attackers exploited it to realize distant code execution.

The NCSC’s warning about CVE-2025-6543 confirms that hackers have leveraged the flaw to breach a number of entities within the nation, after which wiped traces of the assaults to eradicate proof of the intrusions.

“The NCSC has decided that a number of important organizations within the Netherlands have been efficiently attacked by way of a vulnerability recognized as CVE-2025-6543 in Citrix NetScaler,” reads the discover.

“The NCSC assesses the assaults because the work of a number of actors with a sophisticated modus operandi. The vulnerability was exploited as a zero-day, and traces had been actively eliminated to hide compromise at affected organizations.” 

Zero-day exploitation

In response to the NCSC, these assaults occurred since at the very least early Might, practically two months earlier than Citrix revealed its bulletin and made patches out there, in order that they had been exploited as zero days for an prolonged interval.

Though the company didn’t title any of the impacted organizations, the Openbaar Ministerie (OM), which is the Public Prosecution Service of the Netherlands, disclosed a compromise on July 18, noting the invention got here after receiving an NCSC alert.

The group suffered extreme operational disruption because of this, step by step returning on-line and firing up its e-mail servers solely final week.

To deal with the danger from CVE-2025-6543, organizations are really useful to improve to NetScaler ADC and NetScaler Gateway 14.1 model 14.1-47.46 and later, model 13.1-59.19 and later, and ADC 13.1-FIPS and 13.1-NDcPP model 13.1-37.236 and later.

After putting in the updates, it’s essential to finish all lively classes with:

kill icaconnection -all
kill pcoipConnection -all
kill aaa session -all
kill rdp connection -all
clear lb persistentSessions

This similar mitigation recommendation was given for the actively exploited Citrix Bleed 2 flaw, tracked as CVE-2025-5777. It’s unclear whether or not that flaw was additionally abused in assaults, or if it is the identical replace course of for each flaws.

The NCSC advises system directors to search for indicators of compromise, resembling an atypical file creation date, duplicate file names with completely different extensions, and the absence of PHP information within the folders.

The cybersecurity company has additionally launched a script on GitHub that may scan gadgets for uncommon PHP and XHTML information, in addition to different IOCs.