Dutch NCSC Confirms Active Exploitation of Citrix NetScaler CVE-2025-6543 in Critical Sectors

Posted on By CWS

Aug 12, 2025Ravie LakshmananVulnerability / Menace Intelligence
The Dutch Nationwide Cyber Safety Centre (NCSC-NL) has warned of cyber assaults exploiting a lately disclosed vital safety flaw impacting Citrix NetScaler ADC merchandise to breach organizations within the nation.
The NCSC-NL stated it found the exploitation of CVE-2025-6543 concentrating on a number of vital organizations throughout the Netherlands, and that investigations are ongoing to find out the extent of the impression.
CVE-2025-6543 (CVSS rating: 9.2) is a vital safety vulnerability in NetScaler ADC that ends in unintended management stream and denial-of-service (DoS) when the gadgets are configured as a Gateway (VPN digital server, ICA Proxy, CVPN, RDP Proxy) OR AAA digital server.

The vulnerability was first disclosed in late June 2025, with patches launched within the following variations –

NetScaler ADC and NetScaler Gateway 14.1 previous to 14.1-47.46
NetScaler ADC and NetScaler Gateway 13.1 previous to 13.1-59.19
NetScaler ADC 13.1-FIPS and NDcPP previous to 13.1-37.236-FIPS and NDcPP

As of June 30, 2025, CVE-2025-6543 has been added to the U.S. Cybersecurity and Infrastructure Safety Company’s (CISA) Recognized Exploited Vulnerabilities (KEV) catalog. One other flaw in the identical product (CVE-2025-5777, CVSS rating: 9.3) was additionally positioned on the checklist final month.
NCSC-NL described the exercise as possible the work of a complicated menace actor, including the vulnerability has been exploited as a zero-day since early Could 2025 – nearly two months earlier than it was publicly disclosed – and the attackers took steps to erase traces in an effort to hide the compromise. The exploitation was found on July 16, 2025.
“Through the investigation, malicious internet shells had been discovered on Citrix gadgets,” the company stated. “An online shell is a chunk of rogue code that provides an attacker distant entry to the system. The attacker can place an online shell by abusing a vulnerability.”
To mitigate the chance arising from CVE-2025-6543, organizations are suggested to use the newest updates, and terminate everlasting and energetic periods by working the next instructions –

kill icaconnection -all
kill pcoipConnection -all
kill aaa session -all
kill rdp connection -all
clear lb persistentSessions

Organizations can even run a shell script made accessible by NCSC-NL to hunt for indicators of compromise related to the exploitation of CVE-2025-6543.
“Information with a special .php extension in Citrix NetScaler system folders could also be a sign of abuse,” NCSC-NL stated. “Test for newly created accounts on the NetScaler, and particularly for accounts with elevated rights.”

The Hacker News Tags:, , , , , , , , ,

Related Posts

Hackers Use Facebook Ads to Spread JSCEAL Malware via Fake Cryptocurrency Trading Apps The Hacker News
Researchers Uncover GPT-4-Powered MalTerminal Malware Creating Ransomware, Reverse Shell The Hacker News
Hackers Exploit Critical CrushFTP Flaw to Gain Admin Access on Unpatched Servers The Hacker News
Pro-Iranian Hacktivist Group Leaks Personal Records from the 2024 Saudi Games The Hacker News
Salt Typhoon Exploits Cisco, Ivanti, Palo Alto Flaws to Breach 600 Organizations Worldwide The Hacker News
Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks The Hacker News