The Dutch Nationwide Cyber Safety Centre (NCSC-NL) has warned of cyber assaults exploiting a just lately disclosed important safety flaw impacting Citrix NetScaler ADC merchandise to breach organizations within the nation.
The NCSC-NL mentioned it found the exploitation of CVE-2025-6543 concentrating on a number of important organizations throughout the Netherlands, and that investigations are ongoing to find out the extent of the impression.
CVE-2025-6543 (CVSS rating: 9.2) is a important safety vulnerability in NetScaler ADC that ends in unintended management move and denial-of-service (DoS) when the gadgets are configured as a Gateway (VPN digital server, ICA Proxy, CVPN, RDP Proxy) OR AAA digital server.
The vulnerability was first disclosed in late June 2025, with patches launched within the following variations –
- NetScaler ADC and NetScaler Gateway 14.1 previous to 14.1-47.46
- NetScaler ADC and NetScaler Gateway 13.1 previous to 13.1-59.19
- NetScaler ADC 13.1-FIPS and NDcPP previous to 13.1-37.236-FIPS and NDcPP
As of June 30, 2025, CVE-2025-6543 has been added to the U.S. Cybersecurity and Infrastructure Safety Company’s (CISA) Identified Exploited Vulnerabilities (KEV) catalog. One other flaw in the identical product (CVE-2025-5777, CVSS rating: 9.3) was additionally positioned on the listing final month.
NCSC-NL described the exercise as seemingly the work of a complicated menace actor, including the vulnerability has been exploited as a zero-day since early Might 2025 – virtually two months earlier than it was publicly disclosed – and the attackers took steps to erase traces in an effort to hide the compromise. The exploitation was found on July 16, 2025.
“In the course of the investigation, malicious internet shells have been discovered on Citrix gadgets,” the company mentioned. “An internet shell is a bit of rogue code that offers an attacker distant entry to the system. The attacker can place an online shell by abusing a vulnerability.”
To mitigate the danger arising from CVE-2025-6543, organizations are suggested to use the most recent updates, and terminate everlasting and energetic classes by operating the next instructions –
- kill icaconnection -all
- kill pcoipConnection -all
- kill aaa session -all
- kill rdp connection -all
- clear lb persistentSessions
Organizations may also run a shell script made out there by NCSC-NL to hunt for indicators of compromise related to the exploitation of CVE-2025-6543.
“Recordsdata with a distinct .php extension in Citrix NetScaler system folders could also be a sign of abuse,” NCSC-NL mentioned. “Examine for newly created accounts on the NetScaler, and particularly for accounts with elevated rights.”
