The Dutch National Cyber Security Centre (NCSC-NL) has confirmed active exploitation of CVE-2025-6543, a critical memory overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances.
The flaw affects devices configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server and can result in unintended control flow, denial-of-service (DoS), and, in some exploitation chains, remote code execution.
The NCSC-NL reports that multiple critical organizations in the Netherlands have been breached, with activity traced back to at least early May 2025—almost two months before Citrix released a public advisory on June 25, 2025.
Threat Overview
- CVSS Score: v4.0: 9.2 (Critical), v3.x: 9.8 (Critical)
- Confirmed Victim: Dutch Public Prosecution Service (Openbaar Ministerie)
While initially classified primarily as a DoS risk, real-world exploitation has demonstrated that it can be weaponized to gain full access to the affected device. Once compromised, threat actors have deployed malicious web shells, enabling persistent remote access, and have actively removed forensic evidence to hinder detection.
The NCSC-NL assesses that the attacks are likely the work of a sophisticated threat actor or group, given the stealthy operational security measures observed. One confirmed victim, the Dutch Public Prosecution Service (Openbaar Ministerie), experienced significant service disruptions, including extended downtime of email systems.
Global Risk Context
Although reported incidents have so far centered in the Netherlands, CVE-2025-6543 poses a global threat. Citrix NetScaler devices are widely deployed across critical infrastructure, government networks, and enterprise environments. The Shadowserver Foundation’s internet scanning indicates that thousands of NetScaler appliances remain exposed.
The vulnerability was added to the U.S. CISA Known Exploited Vulnerabilities (KEV) catalog on June 30, 2025, with federal agencies instructed to patch by July 21, 2025.
Technical Details & Exploitation
The vulnerability arises from a memory overflow condition that can be triggered when the device is configured in Gateway or AAA virtual server modes. Successful exploitation allows an attacker to alter control flow, cause a system crash, or execute arbitrary code. In confirmed incidents, exploitation chains involved:
- Uploading and executing malicious .php files in NetScaler system directories.
- Creating new administrative accounts with elevated privileges.
- Erasing or tampering with logs to remove intrusion evidence.
The NCSC-NL believes the flaw was exploited as a zero-day for at least two months, providing attackers with an extended window for undetected compromise.
Mitigation & Hunting Guidance
Citrix has released fixes in the following versions:
- NetScaler ADC and Gateway 14.1 – 14.1-47.46 and later
- NetScaler ADC and Gateway 13.1 – 13.1-59.19 and later
- NetScaler ADC 13.1-FIPS and NDcPP – 13.1-37.236 and later
Older versions (12.1 and 13.0) are end-of-life and will not receive security updates. Organizations running these versions must upgrade immediately.
Post-patching, all active sessions should be terminated using:
kill icaconnection -all
kill pcoipConnection -all
kill aaa session -all
kill rdp connection -all
clear lb persistentSessions
For detection, administrators should search for:
- Unexpected or newly created .php files in system folders.
- Unfamiliar administrative accounts or accounts with elevated rights.
- Suspicious file creation dates or duplicate filenames with different extensions.
The NCSC-NL has released a GitHub-hosted script to assist in scanning for indicators of compromise (IoCs).
Stay Safe. Stay Secure.
OP Innovate Research Team.
