Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs
What’s new: The Netherlands’ National Cyber Security Centre (NCSC) has reported that a critical vulnerability in Citrix NetScaler, tracked as CVE-2025-6543, has been exploited to breach multiple critical organizations. This memory overflow vulnerability allows for unintended control flow and denial of service, and has been used for remote code execution. The flaw affects versions prior to 14.1-47.46, 13.1-59.19, and specific 13.1-FIPS and 13.1-NDcPP versions. Attacks have been ongoing since early May 2025, prior to the public disclosure and patch release by Citrix on June 25, 2025.
Who’s affected
Multiple critical organizations in the Netherlands have been successfully attacked via CVE-2025-6543, including the Public Prosecution Service of the Netherlands, which experienced severe operational disruptions due to the breach.
What to do
- Upgrade to NetScaler ADC and NetScaler Gateway versions 14.1-47.46 or later, 13.1-59.19 or later, and 13.1-FIPS and 13.1-NDcPP version 13.1-37.236 or later.
- After upgrading, terminate all active sessions using the commands:
kill icaconnection -all,kill pcoipConnection -all,kill aaa session -all,kill rdp connection -all,clear lb persistentSessions. - Check for signs of compromise, such as unusual file creation dates and duplicate file names with different extensions.
- Utilize the NCSC’s GitHub script to scan for unusual PHP and XHTML files and other indicators of compromise.
