The Netherlands Nationwide Cybersecurity Centre (NCSC) warns {that a} crucial Citrix Netscaler vulnerability tracked as CVE-2025-6543 has been exploited to violate “crucial organizations” throughout the nation.
A crucial flaw is a reminiscence overflow bug that enables for unintended management stream or denial of service circumstances on affected units.
“When configured as a reminiscence overflow vulnerability (VPN Digital Server, ICA Proxy, CVPN, RDP Proxy) or AAA Digital Server that results in unintended management stream and denial of service in Netscaler ADCs and Netscaler Gateways.”
Citrix issued a breaking information concerning the defect on June 25, 2025, warning that the following model is weak to ongoing assaults:
- Earlier than 14.1-1-47.46
- Earlier than 13.1-59.19
- 13.1-FIPS and 13.1-NDCPP earlier than 13.1-37.236
- 12.1 and 13.0 → finish of LIFE, however nonetheless weak (we advocate upgrading to a brand new launch, no fixes supplied)
The flaw was initially regarded as exploited in a denial of service (DOS) assault, however the NCSC warning signifies that the attacker exploited it to realize distant code execution.
The NCSC warning concerning CVE-2025-6543 confirms that hackers have exploited the issues to infringe a number of entities within the nation, wipe out traces of assaults and remove proof of intrusion.
“NCSC has decided that a number of key organizations within the Netherlands have been attacked by way of a vulnerability recognized as Citrix Netscaler CVE-2025-6543,” the notification reads.
“NCSC evaluates assaults because the job of a number of actors with superior strategies. Vulnerability was used as zero-days, with traces being actively eliminated to cover compromises in affected organizations.”
Zero-Day Exploitation
In line with the NCSC, these assaults have been misused as zero days for an extended time period, as they occurred from at the least early Might, two months earlier than Citrix printed breaking information and made patches accessible.
The company didn’t title any of the affected organizations, however the Minister of Openbaar (OM), the Dutch prosecutor’s workplace, revealed the compromise on July 18th.
Consequently, the group suffered from extreme operational disruption, step by step returning on-line, launching its e mail servers solely final week.
To handle the danger of CVE-2025-6543, we advocate that you simply improve to Netscaler ADC and Netscaler Gateway 14.1 model 14.1-47.46 or later, and model 13.1-59.19 or later.
You will need to finish all energetic classes with the next after putting in the replace:
kill icaconnection -all
kill pcoipConnection -all
kill aaa session -all
kill rdp connection -all
clear lb persistentSessionsThis similar mitigation recommendation was given for a proactively misused Citrix Bleed 2 flaw that was tracked as CVE-2025-5777. It’s unclear whether or not the flaw was additionally abused within the assault or if it’s the similar replace course of for each flaws.
NCSC advises system directors to search for indicators of compromise, such because the date the atypical file is created, the filename with totally different extensions, and the absence of PHP information within the folder.
Cybersecurity companies have launched a script on GitHub. This script has launched a script that may scan irregular PHP and XHTML information, in addition to different IOCs.
