The Netherlands Nationwide Cybersecurity Centre (NCSC-NL) warns of cyberattacks that make the most of current disclosed essential safety flaws to violate Citrix Netscaler ADC merchandise.
The NCSC-NL mentioned it found exploitation of CVE-2025-6543 focusing on a number of essential organizations within the Netherlands, saying that the investigation is ongoing to find out the extent of the influence.
CVE-2025-6543 (CVSS rating: 9.2) is a essential safety vulnerability in Netscaler ADC that ends in unintended management flows and denial of service (DOS) when the machine is configured as a gateway (VPN digital server, ICA proxy, CVPN, RDP proxy) or AAA digital server.
The vulnerability was first disclosed in late June 2025, with patches launched within the subsequent model –
- Netscaler ADC and NetScaler Gateway 14.1 14.1-47.46
- Earlier than Netscaler ADC and Netscaler Gateway 13.1 13.1-59.19
- Netscaler ADC 13.1-FIPS and NDCPP 13.1-37.236-FIPS and NDCPP
As of June 30, 2025, CVE-2025-6543 has been added to the US Cybersecurity and Infrastructure Safety Company (CISA) Identified Exploited Vulnerabilities (KEV) catalog. One other defect in the identical product (CVE-2025-5777, CVSS rating: 9.3) was additionally listed final month.
NCSC-NL described the exercise as a complicated risk actor’s job, including that the vulnerability has been exploited as a zero day since early Might 2025. This comes two months earlier than it’s publicly disclosed. Exploitation was found on July 16, 2025.
“Through the investigation, a malicious net shell was discovered on a Citrix machine,” the company mentioned. “An online shell is rogue code that enables an attacker to remotely entry the system. An attacker can deploy an online shell by abusing the vulnerability.”
To mitigate the dangers arising from CVE-2025-6543, organizations are suggested to use the newest updates and run the next command to terminate everlasting and lively classes –
- icaconnection-kill every little thing
- pcoipconnection – kill all
- Kill AAA Classes – The whole lot
- Kill RDP connections – all
- Clear LB persistent session
Organizations run shell scripts made out there by NCSC-NL to search for indicators of compromise associated to CVE-2025-6543 exploitation.
“Information with completely different .PHP extensions within the Citrix Netscaler system folder is usually a signal of abuse,” mentioned NCSC-NL. “Please examine for newly created accounts in Netscaler, particularly these with elevated rights.”
