The Netherlands National Cyber Security Center (NCSC) warns that an important Citrix Netscaler vulnerability, which was tracked as CVE-2025-6543, was exploited for violating “important organizations” in the country.
Critical Flaw is a memory overflow bug that allows the refusal of the state’s refusal on unexpected control flows or affected devices.
“Memory overflow vulnerability leads to unexpected control flow and denying service in Net’s Clare ADC and Netscaler Gateway when the gateway (VPN Virtual Server, ICA Proxy, CVPN, RDP Proxy) or AAA Virtual Server is configured as,” Citrix advisor,
Citrix released a bulletin about the blame on June 25, 2025, warned that the following versions were unsafe for the ongoing attacks:
- Before 14.1 14.1-47.46
- 13.1-59.19 before 13.1
- 13.1-FIPS and 13.1-NDCPP 13.1-37.236 before
- 12.1 and 13.0 → End-off-Life but still weak (no fix was given, a new release recommended, upgrade)
While the defect was initially exploited in the denial of service (DOS) attacks, the NCSC’s warning now indicates that the attackers exploited this to achieve distance code execution.
The NCSC warning about CVE-2025-6543 confirms that hackers have taken advantage of the blame for breaking many institutions in the country, and then erased the attacks mark to eliminate evidence of infiltration.
“NCSC has determined that many important organizations in the Netherlands have been successfully attacked in Citrix Netscaler through vulnerability to be identified as CVE-2025-6543,” Reads notice,
“NCSC assesses attacks as one or more actors with an advanced modus operandi. The vulnerability was exploited as zero-day, and the scars were actively removed to compromise on affected organizations.”
Zero-day exploitation
According to the NCSC, these attacks took place at least since the early May, about two months ago Citrix published its bulletin and provided patch, so they were exploited as zero days for the expanded period.
Although the agency did not name any affected organizations, Openbar Minister (OM), which is the Public Prosecution Service of Netherlands, Revealed a compromise On July 18, after receiving an NCSC alert, keeping in mind the search.
The organization suffered serious losses Operating disruption As a result, Gently returning online And its firing Email server Only last week.
To address the risk from CVE-2025-6543, organizations to Netscaler ADC and Netscaler Gateway 14.1 Edition 14.1-47.46 and later, version 13.1-59.19 and later, and later, and Adc 13.1-FIP and 13.1- NDCPPP version 13.1-37.1-37.236 and later It is recommended.
After installing the update, it is important to eliminate all active sessions:
kill icaconnection -all
kill pcoipConnection -all
kill aaa session -all
kill rdp connection -all
clear lb persistentSessions
The same mitigation advice was actively given for the exploited Citrix Bleed 2 defects, which was tracked as CVE-2025-5777. It is not clear whether that defect was abused even in attacks, or if it is the same updated process for both flaws.
The NCSC system advises administrators to find signs of compromising, such as an etipical file construction date, file name duplicate with various extensions, and absence of PhP files in folders.
Cyber security agency has also released Script on github It can scan the equipment for other IOCs with unusual PHP and XHTML files.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
