Full Report
The Netherlands' National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability tracked as CVE-2025-6543 was exploited to breach "critical organizations" in the country. [...]
Analysis Summary
# Vulnerability: Citrix NetScaler Flaw Exploited in the Wild
## CVE Details
- CVE ID: CVE-2025-6543
- CVSS Score: Information Unavailable (Severity suggested as High due to active exploitation)
- CWE: Information Unavailable
## Affected Systems
- Products: Citrix NetScaler ADC and NetScaler Gateway
- Versions: Specific vulnerable versions are not detailed in the provided text, but patches target multiple branches.
- Configurations: All NetScaler installations are implicitly at risk.
## Vulnerability Description
The article strongly implies that CVE-2025-6543 is a critical vulnerability in Citrix NetScaler products that was actively exploited as a zero-day for an extended period prior to public disclosure. The exploitation led to significant operational disruption, including a compromise against the Netherlands Public Prosecution Service (OM). Specific technical details regarding the exploit mechanism (e.g., RCE, authentication bypass) are not provided in this summary context.
## Exploitation
- Status: Exploited in the wild (actively exploited as a zero-day prior to disclosure).
- Complexity: Implied Low/Medium, given the successful breaches reported.
- Attack Vector: Likely Network based, targeting the NetScaler appliance exposed to external traffic.
## Impact
- Confidentiality: High (implied by successful organizational breach).
- Integrity: High (implied by successful organizational breach).
- Availability: Severe (example: Dutch Public Prosecution Service suffered severe operational disruption).
## Remediation
### Patches
Organizations are recommended to upgrade to specific patched versions:
* NetScaler ADC and NetScaler Gateway 14.1 version **14.1-47.46 and later**
* Version **13.1-59.19 and later**
* ADC 13.1-FIPS and 13.1-NDcPP version **13.1-37.236 and later**
### Workarounds
After installing updates, administrators must terminate all active sessions using the following commands:
kill icaconnection -all
kill pcoipConnection -all
kill aaa session -all
kill rdp connection -all
clear lb persistentSessions
*Note: The same advice was given for CVE-2025-5777 (Citrix Bleed 2), suggesting session clear steps might address similar residual issues.*
## Detection
- **Indicators of Compromise (IOCs):**
* Atypical file creation dates on the appliance.
* Duplicate file names with different extensions.
* Absence of expected PHP files in system folders (indicating potential replacement or removal by an attacker).
- **Detection Methods and Tools:**
* NCSC-NL released a script on GitHub (`https://github.com/NCSC-NL/citrix-2025` - defanged) that scans devices for unusual PHP and XHTML files, along with other known IOCs related to this attack.
## References
- Vendor advisories: Information not directly present, but implied via NCSC-NL and OM disclosures.
- Relevant links:
* `https://www.om.nl/onderwerpen/inbreuk-om-ict/nieuws/2025/07/18/onderzoek-naar-aanleiding-van-signaal-ncsc`
* `https://www.om.nl/onderwerpen/inbreach-om-ict/nieuws/2025/07/21/werk-om-mogelijk-komende-weken-nog-verstoord`
* `https://www.om.nl/onderwerpen/inbreach-om-ict/nieuws/2025/08/04/om-gaat-stapsgewijs-online`
* `https://www.om.nl/onderwerpen/inbreach-om-ict/nieuws/2025/08/07/om-is-weer-per-mail-bereikbaar`
* `https://github.com/NCSC-NL/citrix-2025`