Article Details

Dutch NCSC Confirms Active Exploitation of Citrix NetScaler CVE-2025-6543 in Critical Sectors. The Dutch National Cyber Security Centre (NCSC-NL) has warned of cyber attacks exploiting a recently disclosed critical security flaw impacting Citrix NetScaler ADC products to breach organizations in the country. The NCSC-NL said it discovered the exploitation of CVE-2025-6543 targeting several critical organizations within the Netherlands, and that investigations are ongoing to determine the extent of the impact. CVE-2025-6543 (CVSS score: 9.2) is a critical security vulnerability in NetScaler ADC that results in unintended control flow and denial-of-service (DoS) when the devices are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. The vulnerability was first disclosed in late June 2025, with patches released in the following versions - As of June 30, 2025, CVE-2025-6543 has been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog. Another flaw in the same product (CVE-2025-5777, CVSS score: 9.3) was also placed on the list last month. NCSC-NL described the activity as likely the work of a sophisticated threat actor, adding the vulnerability has been exploited as a zero-day since early May 2025 – almost two months before it was publicly disclosed – and the attackers took steps to erase traces in an effort to conceal the compromise. The exploitation was discovered on July 16, 2025. "During the investigation, malicious web shells were found on Citrix devices," the agency said. "A web shell is a piece of rogue code that gives an attacker remote access to the system. The attacker can place a web shell by abusing a vulnerability." To mitigate the risk arising from CVE-2025-6543, organizations are advised to apply the latest updates, and terminate permanent and active sessions by running the following commands - Organizations can also run a shell script made available by NCSC-NL to hunt for indicators of compromise associated with the exploitation of CVE-2025-6543. "Files with a different .php extension in Citrix NetScaler system folders may be an indication of abuse," NCSC-NL said. "Check for newly created accounts on the NetScaler, and specifically for accounts with increased rights."