Netherlands Breach: Citrix NetScaler Flaw CVE-2025-6543 Exploited in Zero-Day Attacks

The Dutch National Cyber Security Centre (NCSC-NL) has confirmed that a major security hole in Citrix NetScaler devices, tracked as CVE-2025-6543, has been exploited by hackers to break into several important organisations in the Netherlands. The attacks were carried out quietly, with the intruders trying to erase any traces of what they had done, making it harder for investigators to figure out exactly what happened.

This vulnerability is what’s known as a memory overflow bug. It affects Citrix NetScaler ADC and Gateway appliances when they are set up as a Gateway for example, for VPN, ICA Proxy, CVPN, or RDP Proxy or as an AAA virtual server. In simple terms, it gives attackers a way to disrupt the system or even take control of it.

Investigations have shown that these attacks started as early as May 2025, before the flaw was made public. That means hackers had a head start using the vulnerability as a zero-day exploit well before Citrix released a fix on 25 June 2025.

During their checks, security teams found malicious web shells on the compromised devices. A web shell is a tool that gives hackers ongoing remote access, even if the original flaw is patched. In some cases, the attackers also deleted logs and other evidence to hide their activity.

Some of the targets included key parts of the Netherlands’ justice system and law enforcement. One of the most heavily affected was the Public Prosecution Service, which faced serious disruptions to its work. Services only began returning to normal after NCSC-NL intervened and coordinated recovery efforts.

The NCSC-NL believes that more than one advanced hacking group may have been involved, pointing to a coordinated attack aimed at the country’s critical infrastructure rather than random opportunistic breaches.

In response, Citrix also known as Cloud Software Group released emergency security updates and urged all customers to install them right away. The safe versions include NetScaler ADC and Gateway 14.1 updated to 14.1-47.46 or later, version 13.1 updated to 13.1-59.19 or later, and 13.1-FIPS / NDcPP updated to 13.1-37.236 or later.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2025-6543 to its list of Known Exploited Vulnerabilities, advising organisations to patch it immediately. But experts warn that patching alone isn’t enough, because attackers could still have persistent access through hidden tools left behind.

That’s why NCSC-NL is urging organisations to take extra steps. They recommend ending all active sessions on affected NetScaler devices using specific system commands, running the official detection script, scanning for any suspicious files or accounts, and contacting NCSC-NL if there are signs of compromise.

Thousands of NetScaler devices worldwide are still unpatched and exposed online. For any organisation using these appliances especially when configured as a Gateway or AAA server this should be treated as an urgent security risk. Patching quickly, checking for intrusions, and tightening security measures are key to stopping further attacks.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news