The Dutch National Cyber Security Centre (NCSC-NL) has issued a warning about cyber attacks that are taking advantage of a recently revealed critical vulnerability in Citrix NetScaler ADC products. These attacks have targeted organizations across the Netherlands.
According to NCSC-NL, the vulnerability identified as CVE-2025-6543 has been used to breach several critical organizations in the country. Investigations are currently underway to assess the full scope of the damage.
CVE-2025-6543 carries a CVSS score of 9.2 and affects NetScaler ADC when configured as a Gateway (including VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. This flaw can lead to unintended control flow and denial-of-service (DoS). It was first disclosed in late June 2025, and Citrix released patches in the following versions:
- NetScaler ADC and NetScaler Gateway 14.1 before version 14.1-47.46
- NetScaler ADC and NetScaler Gateway 13.1 before version 13.1-59.19
- NetScaler ADC 13.1-FIPS and NDcPP before version 13.1-37.236-FIPS and NDcPP
On June 30, 2025, CVE-2025-6543 was added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog. Another vulnerability in the same product, CVE-2025-5777 with a CVSS score of 9.3, was added to the list in the previous month.
NCSC-NL believes the attacks are likely the work of a highly skilled threat actor. The vulnerability has reportedly been exploited as a zero-day since early May 2025, nearly two months before its public disclosure. The attackers also attempted to erase evidence to hide their activities. The exploitation was first detected on July 16, 2025.
During the investigation, malicious web shells were discovered on Citrix devices. A web shell is a piece of unauthorized code that allows an attacker to remotely access the system. Attackers can install a web shell by exploiting a vulnerability.
To reduce the risk posed by CVE-2025-6543, organizations are urged to install the latest updates and terminate all permanent and active sessions using the following commands:
kill icaconnection -all kill pcoipConnection -all kill aaa session -all kill rdp connection -all clear lb persistentSessions
NCSC-NL has also provided a shell script that organizations can use to search for indicators of compromise related to CVE-2025-6543.
The agency noted that files with unusual .php extensions in Citrix NetScaler system folders may signal abuse. It also advised checking for newly created accounts on the NetScaler, especially those with elevated privileges.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
