Critical Sectors Breached: Dutch NCSC Confirms Active Exploitation of Citrix NetScaler Flaw

The Netherlands' National Cyber Security Centre (NCSC) has issued a stark warning regarding the active exploitation of a critical vulnerability, CVE-2025-6543, in Citrix NetScaler devices. The flaw has been used to breach several "critical organizations" within the country, with attackers employing sophisticated tactics to cover their tracks.

Key Takeaways

• A critical memory overflow vulnerability (CVE-2025-6543) in Citrix NetScaler ADC and Gateway is being actively exploited.

• The Dutch NCSC confirmed that "critical organizations" in the Netherlands have been successfully breached.

• Attackers are using advanced methods, including zero-day exploitation and active trace removal, to conceal their activities.

• The vulnerability allows for remote code execution, not just denial of service.

• Affected versions include 14.1 before 14.1-47.46, 13.1 before 13.1-59.19, and specific 13.1-FIPS/NDcPP versions.

Sophisticated Zero-Day Attacks Uncovered

The NCSC's alert reveals that the exploitation of CVE-2025-6543 began as early as May 2025, nearly two months before Citrix officially disclosed the vulnerability and released patches. This indicates a zero-day attack campaign, with threat actors actively removing evidence of their intrusions to evade detection. The attacks are attributed to one or more actors possessing an advanced modus operandi.

Impact on Critical Organizations

While specific organizations were not named, the Public Prosecution Service of the Netherlands (Openbaar Ministerie) disclosed a compromise on July 18, following an NCSC alert. This incident resulted in severe operational disruption, with systems gradually being restored. The NCSC's investigation found malicious web shells on compromised Citrix devices, granting attackers remote access.

Vulnerable Versions and Mitigation Steps

The critical flaw, a memory overflow bug, affects Citrix NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server. The following versions are confirmed to be vulnerable:

• 14.1 before 14.1-47.46

• 13.1 before 13.1-59.19

• 13.1-FIPS and 13.1-NDcPP before 13.1-37.236

• 12.1 and 13.0 (End-of-Life, no fixes available; upgrade recommended)

To mitigate the risk, organizations are strongly advised to upgrade to the patched versions. Additionally, it is crucial to terminate all active sessions using the following commands:

• kill icaconnection -all

• kill pcoipConnection -all

• kill aaa session -all

• kill rdp connection -all

• clear lb persistentSessions

The NCSC also recommends system administrators look for indicators of compromise, such as atypical file creation dates, duplicate filenames with different extensions, and the absence of expected PHP files. A script has been released to help scan devices for these anomalies. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs, BleepingComputer.

• Dutch NCSC Confirms Active Exploitation of Citrix NetScaler CVE-2025-6543 in Critical Sectors, The Hacker News.