HomeCyber SecurityCitrix Netscaler flaw CVE-2025-6543 exploited to breach orgs

Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs


Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs

The Netherlands’ Nationwide Cyber Safety Centre (NCSC) is warning {that a} crucial Citrix NetScaler vulnerability tracked as CVE-2025-6543 was exploited to breach “crucial organizations” within the nation.

The crucial flaw is a reminiscence overflow bug that enables unintended management circulation or a denial of service state on impacted gadgets.

“Reminiscence overflow vulnerability resulting in unintended management circulation and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN digital server, ICA Proxy, CVPN, RDP Proxy) OR AAA digital server,” explains Citrix’s advisory.

Citrix issued a bulletin concerning the flaw on June 25, 2025, warning that the next variations had been susceptible to ongoing assaults:

  • 14.1 earlier than 14.1-47.46
  • 13.1 earlier than 13.1-59.19
  • 13.1-FIPS and 13.1-NDcPP earlier than 13.1-37.236
  • 12.1 and 13.0 → Finish-of-Life however nonetheless susceptible (no fixes supplied, improve to a more moderen launch beneficial)

Whereas the flaw was initially regarded as exploited in denial of service (DoS) assaults, the NCSC’s warning now signifies that the attackers exploited it to attain distant code execution.

The NCSC’s warning about CVE-2025-6543 confirms that hackers have leveraged the flaw to breach a number of entities within the nation, after which wiped traces of the assaults to remove proof of the intrusions.

“The NCSC has decided that a number of crucial organizations within the Netherlands have been efficiently attacked by way of a vulnerability recognized as CVE-2025-6543 in Citrix NetScaler,” reads the discover.

“The NCSC assesses the assaults because the work of a number of actors with a complicated modus operandi. The vulnerability was exploited as a zero-day, and traces had been actively eliminated to hide compromise at affected organizations.” 

Zero-day exploitation

Based on the NCSC, these assaults occurred since no less than early Might, practically two months earlier than Citrix revealed its bulletin and made patches obtainable, in order that they had been exploited as zero days for an prolonged interval.

Though the company didn’t title any of the impacted organizations, the Openbaar Ministerie (OM), which is the Public Prosecution Service of the Netherlands, disclosed a compromise on July 18, noting the invention got here after receiving an NCSC alert.

The group suffered extreme operational disruption consequently, steadily returning on-line and firing up its e-mail servers solely final week.

To deal with the chance from CVE-2025-6543, organizations are beneficial to improve to NetScaler ADC and NetScaler Gateway 14.1 model 14.1-47.46 and later, model 13.1-59.19 and later, and ADC 13.1-FIPS and 13.1-NDcPP model 13.1-37.236 and later.

After putting in the updates, it’s essential to finish all lively periods with:


kill icaconnection -all
kill pcoipConnection -all
kill aaa session -all
kill rdp connection -all
clear lb persistentSessions

This similar mitigation recommendation was given for the actively exploited Citrix Bleed 2 flaw, tracked as CVE-2025-5777. It’s unclear whether or not that flaw was additionally abused in assaults, or if it is the identical replace course of for each flaws.

The NCSC advises system directors to search for indicators of compromise, corresponding to an atypical file creation date, duplicate file names with totally different extensions, and the absence of PHP information within the folders.

The cybersecurity company has additionally launched a script on GitHub that may scan gadgets for uncommon PHP and XHTML information, in addition to different IOCs.

46% of environments had passwords cracked, practically doubling from 25% final 12 months.

Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration traits.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments