Dutch Orgs Hacked via Citrix Netscaler Flaw CVE-2025-6543
▼ Summary
– The Netherlands’ NCSC warns that a critical Citrix NetScaler vulnerability (CVE-2025-6543) was exploited to breach multiple critical organizations in the country.
– The flaw is a memory overflow bug in NetScaler ADC and Gateway, allowing unintended control flow or denial of service, and was exploited for remote code execution.
– Citrix issued a bulletin on June 25, 2025, listing vulnerable versions, including end-of-life releases with no fixes available.
– Attackers exploited the flaw as a zero-day since early May, removing traces to hide intrusions, with the Dutch Public Prosecution Service among the affected entities.
– Mitigation includes upgrading to patched versions and terminating active sessions, while the NCSC provides scripts to detect compromise indicators like unusual files.
Dutch organizations have fallen victim to cyberattacks exploiting a critical Citrix NetScaler vulnerability, CVE-2025-6543, according to warnings issued by the country’s National Cyber Security Centre (NCSC). The flaw, which allows attackers to execute remote code or trigger denial-of-service conditions, has already compromised multiple high-profile entities, with evidence deliberately erased to obscure the breaches.
The vulnerability stems from a memory overflow issue affecting Citrix NetScaler ADC and NetScaler Gateway systems configured as VPN virtual servers, ICA proxies, or AAA virtual servers. Citrix released patches on June 25, 2025, but hackers had already weaponized the flaw as early as May, exploiting it as a zero-day vulnerability before fixes were available.
Affected versions include:
- 14.1 (prior to 14.1-47.46)
- 13.1 (prior to 13.1-59.19)
- 13.1-FIPS and 13.1-NDcPP (before 13.1-37.236)
- 12.1 and 13.0 (now end-of-life but still vulnerable, requiring upgrades)
Initially believed to facilitate only DoS attacks, the flaw was later confirmed to enable remote code execution, allowing attackers to infiltrate systems undetected. The NCSC attributes the breaches to sophisticated threat actors who meticulously covered their tracks, complicating forensic investigations.
One confirmed victim is the Dutch Public Prosecution Service (OM), which reported severe disruptions after detecting the intrusion in mid-July. The agency’s email systems remained offline for weeks, underscoring the attack’s disruptive potential.
To mitigate risks, organizations must immediately update to the latest patched versions and terminate all active sessions using specific commands: “` kill icaconnection -all kill pcoipConnection -all kill aaa session -all kill rdp connection -all clear lb persistentSessions “`
The NCSC also recommends scanning for indicators of compromise (IOCs), such as irregular file timestamps, duplicate filenames with altered extensions, or missing PHP files. A GitHub script has been released to help detect suspicious PHP and XHTML files linked to the attacks.
This incident mirrors previous Citrix vulnerabilities like CVE-2025-5777 (Citrix Bleed 2), though it remains unclear if both flaws were exploited simultaneously. Proactive patching and vigilant monitoring are critical to preventing further exploitation.
(Source: BLEEPING COMPUTER)
