The Netherlands’ National Cyber Security Centre (NCSC-NL) confirmed that a critical Citrix NetScaler flaw, CVE-2025-6543, is being exploited to break into multiple Dutch critical-sector organizations. The agency’s investigation found malicious web shells on compromised NetScaler appliances and evidence that attackers deliberately erased traces to hinder forensics.
How the attacks work
- The bug: CVE-2025-6543 is a memory overflow leading to unintended control flow and potential DoS when NetScaler ADC/Gateway is configured as a Gateway or AAA virtual server. In practice, steering execution flow enables post-exploitation actions on the device.
- Zero-day window: NCSC-NL assesses exploitation began in early May 2025—weeks before public disclosure (June 25)—making it a true zero-day.
- Post-exploitation: Investigators found web shells placed on NetScaler systems—lightweight backdoors that give remote command execution—consistent with attackers first gaining a foothold via the flaw and then establishing persistence while wiping logs/artifacts to evade detection.
Why it’s happening
- Edge exposure: NetScaler ADC/Gateway often sits internet-facing to broker VPN/remote access; compromise can become an enterprise entry point.
- High impact, high reward: A CVSS 9.2 gateway-context flaw is attractive to capable actors; NCSC-NL characterizes the activity as sophisticated with operational security
- Patch/response gaps: Appliances may be slow to patch and, critically, patching alone does not evict intruders if sessions/backdoors persist—hence the emphasis on session invalidation and IOC hunting.
How it surfaced
- May 2025: Earliest attacker activity inferred from forensics at victim orgs. ([ncsc.nl][2])
- June 25, 2025: Vendor advisory published for CVE-2025-6543. ([support.citrix.com][4])
- June 30, 2025: CISA adds CVE-2025-6543 to the Known Exploited Vulnerabilities (KEV) catalog, confirming in-the-wild exploitation. ([cisa.gov][5])
- July 16, 2025: NCSC-NL detects exploitation at Dutch organizations; multiple entities later confirm compromise indicators. ([ncsc.nl][2])
- Aug 11, 2025: NCSC-NL issues an updated case report; Aug 12 reporting underscores active exploitation and sectoral impact.
Current status & what defenders must do now
Investigations are ongoing; scope and impact are still being mapped. Meanwhile, both NCSC-NL and Citrix/NetScaler urge immediate remediation and compromise checks:
1) Patch to fixed builds (or later):
- 14.1-47.46 (ADC/Gateway)
- 13.1-59.19 (ADC/Gateway)
- 13.1-37.236 (FIPS / NDcPP)
> Note: 12.1 and 13.0 are EOL; upgrade to supported releases. ([support.citrix.com][4])
2) Invalidate potentially hijacked sessions after patching: Run on the appliance to wipe live/”sticky” sessions:
- `kill icaconnection -all`
- `kill pcoipConnection -all`
- `kill aaa session -all`
- `kill rdp connection -all`
- `clear lb persistentSessions` ([The Hacker News][1])
3) Hunt for persistence/IOCs:
- Look for anomalous `.php` files in NetScaler system folders, new/high-privilege accounts, and other tampering. ([ncsc.nl][2])
- Use the NCSC-NL detection script (`TLPCLEAR_check_script_cve-2025-6543`); export and review `/var/log/custom_checks.log`. ([GitHub][6])
4) Assume breach; go layered: NCSC-NL stresses defense-in-depth, robust logging/forensic readiness, and network segmentation so a single edge device bypass doesn’t become a full network compromise.
The bottom line
This is a live, stealthy campaign against widely deployed edge gateways. Treat patched devices as potentially compromised until proven otherwise: upgrade, kill sessions, comb for IOCs, and harden your edge. ([The Hacker News][1], [ncsc.nl][2])