11.08.2025
2 min
528
The Netherlands National Cyber Security Center (**NCSC**) has warned of active exploitation of the critical vulnerability CVE-2025-6543 in Citrix NetScaler. The attacks hit several “critical organizations” in the country and allowed attackers to execute remote code, after which they removed traces of compromise.
The vulnerability is a memory overflow that can lead to a change in execution thread or a denial of service state on NetScaler ADC and NetScaler Gateway devices when they are configured as a gateway (VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
Citrix issued a bulletin on June 25, 2025, notifying of the risk and indicating that the versions affected are:
Initially thought to be used only for DoS attacks, the vulnerability has now been confirmed to be used for RCE (remote code execution). The NCSC indicates that the attacks began at least in May 2025 — almost two months before the patch release, making this a long-running zero-day campaign.
Among the affected organizations is the Dutch Public Prosecutor’s Office (OM), which reported a major outage on July 18 and has only recently restored some services.
To mitigate the risk, Citrix recommends upgrading to:
NetScaler ADC/Gateway 14.1-47.46+
13.1-59.19+
13.1-FIPS/NDCcPP 13.1-37.236+
After the update, you must end all active sessions:
kill icaconnection -all
kill pcoipConnection -all
kill aaa session -all
kill rdp connection -all
clear lb persistentSessions`
Administrators are advised to check for compromises based on unusual file creation dates, duplicates with different file extensions, and the absence of PHP files in directories. The NCSC has posted a GitHub script to search for suspicious PHP/XHTML files and IOCs.
This attack demonstrates that even after previous incidents like Citrix Bleed 2, zero-days in corporate gateways remain an attractive target for APT groups. Organizations should urgently update, isolate compromised systems, and conduct deep scans for hidden traces of the breach.
