![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgox-B7TPfiDw6z0RMSA6amNf7tFBv7gDXfFtUHwAOfZWQTU-YC_tmNOl2qOuy5hydGe49_DfjFlLNQ3kF8YOIZozTpzmoJ7eMqWiePhkMJug60utLcTPsbI33bIMDvwEU4iVfsK20bpxAZbeZBfNkt0iQJbCHZppSPchb50MI6V9Cscnc4OzZijVBgDWPv/s728-rw-e365/cit.jpg\")
The Dutch National Cyber Security Centre (NCSC-NL) has raised an alarm about cyber attacks exploiting a critical security vulnerability in Citrix NetScaler ADC products to breach organizations in the Netherlands.
According to NCSC-NL, the exploitation of CVE-2025-6543 has been detected targeting crucial organizations in the country, with ongoing investigations to assess the extent of the impact.
CVE-2025-6543 (CVSS score: 9.2) is a critical security flaw in NetScaler ADC that leads to unintended control flow and denial-of-service (DoS) when the devices are configured as a Gateway or AAA virtual server.
![\"Cybersecurity\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRfd6fBYsRvXQ0QZEWgOQz8rIoZEnU3hgHnNzVMSFHQtyPOtwVPOFlyzQ-IxGKBJFPbqtcqPKBCOWBhnAVgXZSR3KqLpl5l2JVyqPYUsK2AGpZq08L-6WS4hZ4CA_Z4GO4ZPgnTWoteLFjxvNtlHSPHoy0Tf36cYhPOlT18IrpcThEtxZ4idEwIVYArirR/s728-e100/cis-d.png\")
The vulnerability was disclosed in late June 2025, with patches issued in subsequent versions of NetScaler ADC and NetScaler Gateway to address the issue.
- NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46
- NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19
- NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP
As of June 30, 2025, CVE-2025-6543 has been included in the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog. Another flaw in the same product (CVE-2025-5777, CVSS score: 9.3) was also listed last month.
NCSC-NL suspects the exploitation to be the work of a sophisticated threat actor, with the vulnerability being exploited as a zero-day since early May 2025. The attackers attempted to cover their tracks by erasing evidence of the compromise, a discovery made on July 16, 2025.
\”Malicious web shells were found on Citrix devices during the investigation,\” the agency stated. \”A web shell is a piece of rogue code that grants an attacker remote access to the system.\”
To minimize the risk associated with CVE-2025-6543, organizations are advised to apply the latest updates and terminate active sessions using specific commands.
- kill icaconnection -all
- kill pcoipConnection -all
- kill aaa session -all
- kill rdp connection -all
- clear lb persistentSessions
![\"Identity](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHQ0O8BgniCymqcfT9uXxTxwemhONtmR9Aib7y_v5o2XkJyEdvnHCDsEu3vM_HF-RS3j2KH0vUHA1ACHCrSPugj8IMIKLkKs8_0WRoy36XEOSQeDy6SzhAGrsyH5KTum7JePSUpeZXFtNV6_jCogmTbhPvIu5kn7VIIQ2lWO96y5S5kGGCcwOV_szFG59Y/s728-e100/cant-see-d.jpg\")
Organizations can access a shell script provided by NCSC-NL to identify potential indicators of compromise linked to the exploitation of CVE-2025-6543.
\”Files with a different .php extension in Citrix NetScaler system folders may indicate abuse,\” NCSC-NL warned. \”Check for newly created accounts with elevated privileges on the NetScaler.\”
