Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs

What’s new: The Netherlands’ National Cyber Security Centre (NCSC) has reported that the Citrix NetScaler vulnerability CVE-2025-6543 has been exploited to breach critical organizations in the country. This memory overflow vulnerability allows for unintended control flow and denial of service on affected devices. The flaw was exploited as a zero-day since at least early May 2025, prior to Citrix’s advisory issued on June 25, 2025.

Who’s affected

Organizations using vulnerable versions of Citrix NetScaler, specifically versions 14.1 before 14.1-47.46, 13.1 before 13.1-59.19, and 13.1-FIPS and 13.1-NDcPP before 13.1-37.236, are at risk. End-of-life versions 12.1 and 13.0 are also vulnerable but will not receive fixes.

What to do

• Upgrade to NetScaler ADC and NetScaler Gateway versions 14.1-47.46 or later, 13.1-59.19 or later, and ADC 13.1-FIPS and 13.1-NDcPP version 13.1-37.236 or later.
• After upgrading, terminate all active sessions using the commands: kill icaconnection -all, kill pcoipConnection -all, kill aaa session -all, kill rdp connection -all, clear lb persistentSessions.
• Check for signs of compromise, such as unusual file creation dates and atypical file names.
• Utilize the NCSC’s GitHub script to scan for unusual PHP and XHTML files and other indicators of compromise.

Sources

• BleepingComputer