Home Innovation Citrix Dutch NCSC Warns of Critical C...

Dutch NCSC Warns of Critical Citrix Vulnerability Under Active Exploitation

Citrix

Business Honor
13 August, 2025

The Dutch NCSC warns of active cyberattacks exploiting a critical Citrix NetScaler vulnerability (CVE-2025-6543), urging urgent patching amid confirmed compromises.

The Dutch National Cyber Security Centre (NCSC-NL) has issued a warning against ongoing cyber attacks exploiting the critical vulnerability in Citrix NetScaler ADC products. The vulnerability, tracked as CVE-2025-6543 and reported with a CVSS score of 9.2, exploits devices that are set up as Gateway or AAA virtual servers, subjecting them to accidental control flow and denial-of-service (DoS) attacks. The flaw was formally announced in late June 2025, but it has been found to have been used as a zero-day as far back as May, well ahead of any public recognition.

Already, several Dutch critical organizations have been hit, leading to an immediate investigation by NCSC-NL into the scope of the exposures. The agency has confirmed that the attackers exploited the vulnerability to install malicious web shells, or scripts allowing remote access, onto compromised Citrix systems. The web shells enable the attackers to gain persistent access as they try to wipe forensic traces to go undetected.

Citrix subsequently issued patches to fix the vulnerability in various NetScaler ADC and gateway versions, asking users to update as a matter of urgency. Versions before 14.1-47.46, 13.1-59.19, and 13.1-37.236-FIPS/NDcPP are vulnerable to the bug. In addition to patching, admins should terminate all active sessions and look for any potential indicators of compromise, such as strange PHP files or suspicious account creations on the system.

The vulnerability has also been added in the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) list, which reflects its global threat. A second Citrix flaw, CVE-2025-5777, was included in the KEV list last month, further highlighting the security posture of NetScaler products. The NCSC-NL highlighted the probability of a sophisticated actor being behind the attacks and still coordinates with impacted organizations to reduce further risk.