The Netherlands National Cybersecurity Centre (NCSC-NL) warns of cyberattacks that utilize recent disclosed critical security flaws to violate Citrix Netscaler ADC products.
The NCSC-NL said it discovered exploitation of CVE-2025-6543 targeting several important organizations in the Netherlands, saying that the investigation is ongoing to determine the extent of the impact.
CVE-2025-6543 (CVSS score: 9.2) is a critical security vulnerability in Netscaler ADC that results in unintended control flows and denial of service (DOS) when the device is configured as a gateway (VPN virtual server, ICA proxy, CVPN, RDP proxy) or AAA virtual server.
The vulnerability was first disclosed in late June 2025, with patches released in the next version –
- Netscaler ADC and NetScaler Gateway 14.1 14.1-47.46
- Before Netscaler ADC and Netscaler Gateway 13.1 13.1-59.19
- Netscaler ADC 13.1-FIPS and NDCPP 13.1-37.236-FIPS and NDCPP
As of June 30, 2025, CVE-2025-6543 has been added to the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. Another defect in the same product (CVE-2025-5777, CVSS score: 9.3) was also listed last month.
NCSC-NL described the activity as the work of sophisticated threat actors, adding that the vulnerability has been exploited as a zero day since early May 2025. This comes two months before it is publicly disclosed. Exploitation was discovered on July 16, 2025.
“During the investigation, a malicious web shell was found on a Citrix device,” the agency said. “A web shell is rogue code that allows an attacker to remotely access the system. An attacker can deploy a web shell by abusing the vulnerability.”
To mitigate the risks arising from CVE-2025-6543, organizations are advised to apply the latest updates and run the following command to terminate permanent and active sessions –
- icaconnection-kill everything
- pcoipconnection – kill all
- Kill AAA Sessions – Everything
- Kill RDP connections – all
- Clear LB persistent session
Organizations run shell scripts made available by NCSC-NL to look for indicators of compromise related to CVE-2025-6543 exploitation.
“Files with different .PHP extensions in the Citrix Netscaler system folder can be a sign of abuse,” said NCSC-NL. “Please check newly created accounts in Netscaler, especially those with increased rights.”
