The Dutch National Cyber Security Centre (NCSC-NL) has warned of cyber attacks exploiting a recently disclosed critical security flaw impacting Citrix NetScaler ADC products to breach organizations in the country.
The NCSC-NL said it discovered the exploitation of CVE-2025-6543 targeting several critical organizations within the Netherlands, and that investigations are ongoing to determine the extent of the impact.
CVE-2025-6543 (CVSS score: 9.2) is a critical security vulnerability in NetScaler ADC that results in unintended control flow and denial-of-service (DoS) when the devices are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
The vulnerability was first disclosed in late June 2025, with patches released in the following versions –
- NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46
- NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19
- NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP
As of June 30, 2025, CVE-2025-6543 has been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. Another flaw in the same product (CVE-2025-5777, CVSS score: 9.3) was also placed on the list last month.
NCSC-NL described the activity as likely the work of a sophisticated threat actor, adding the vulnerability has been exploited as a zero-day since early May 2025 – almost two months before it was publicly disclosed – and the attackers took steps to erase traces in an effort to conceal the compromise. The exploitation was discovered on July 16, 2025.
“During the investigation, malicious web shells were found on Citrix devices,” the agency said. “A web shell is a piece of rogue code that gives an attacker remote access to the system. The attacker can place a web shell by abusing a vulnerability.”
To mitigate the risk arising from CVE-2025-6543, organizations are advised to apply the latest updates, and terminate permanent and active sessions by running the following commands –
- kill icaconnection -all
- kill pcoipConnection -all
- kill aaa session -all
- kill rdp connection -all
- clear lb persistentSessions
Organizations can also run a shell script made available by NCSC-NL to hunt for indicators of compromise associated with the exploitation of CVE-2025-6543.
“Files with a different .php extension in Citrix NetScaler system folders may be an indication of abuse,” NCSC-NL said. “Check for newly created accounts on the NetScaler, and specifically for accounts with increased rights.”
