The Dutch National Cyber Security Centre (NCSC) confirmed that attackers exploited a Citrix NetScaler zero-day vulnerability (CVE-2025-6543) to breach several critical organizations. These intrusions occurred silently, with threat actors removing traces of their presence.
About the Vulnerability
CVE-2025-6543 stems from a memory overflow flaw in NetScaler ADC and NetScaler Gateway devices. When configured as a Gateway (such as VPN, ICA Proxy, CVPN, or RDP Proxy) or AAA virtual server, this bug allows unintended control flow or triggers denial-of-service conditions.
Citrix acknowledged exploitation of this zero-day before issuing a patch. NCSC reports indicate the attackers exploited the flaw since at least early May, well before Citrix released their advisory on June 25, 2025.
Impact in the Netherlands
The NCSC warned that multiple Dutch critical organizations suffered successful breaches via this vulnerability, and intruders removed logs to hide the activity.
One of the affected entities, the Public Prosecution Service (Openbaar Ministerie), disclosed it faced severe disruptions after receiving the alert from NCSC and began restoring operations in mid-July.
Recommended Fixes & Mitigation
Citrix released patches for impacted versions on June 25:
| Platform Version | Fix Available From |
|---|---|
| 14.1 | 14.1‑47.46 and later |
| 13.1 | 13.1‑59.19 and later |
| 13.1‑FIPS / NDcPP | 13.1‑37.236 and later (via support) |
Versions 12.1 and 13.0 remain unsupported but remain vulnerable and require upgrade.
After applying the patch, administrators should terminate active sessions using commands like:
pgsqlCopyEditkill icaconnection -all
kill pcoipConnection -all
kill aaa session -all
kill rdp connection -all
clear lb persistentSessions
These steps help close gaps from sessions that attackers might have hijacked.
Additional Risk: Webshell Deployment
Security researchers also uncovered that attackers are exploiting CVE-2025-6543 to deploy webshells for persistent access to affected devices.
Conclusion
The Citrix NetScaler zero-day (CVE-2025-6543) enabled attackers to infiltrate critical Dutch institutions before a patch became available. Users must update vulnerable systems, terminate active sessions, and scan for webshells to secure their networks against these stealthy intrusions.
0 responses to “Dutch Agencies Breached via Exploited Citrix NetScaler Flaw”