Critical Security Vulnerability in Citrix NetScaler ADC Unveiled
The Dutch National Cyber Security Centre (NCSC-NL) has raised alarms about potential cyber attacks leveraging a newly discovered security vulnerability in Citrix NetScaler ADC products. This critical flaw poses significant risks to various organizations operating within the Netherlands. As the situation unfolds, investigations are ongoing to gauge the full extent of the issue.
Understanding CVE-2025-6543
The vulnerability, designated as CVE-2025-6543, has garnered a high CVSS score of 9.2, indicating its severity. It affects NetScaler ADC devices when configured as a Gateway (including VPN virtual servers, ICA Proxy, CVPN, RDP Proxy) or as an AAA virtual server. The flaw can lead to unintended control flow and potential denial-of-service (DoS) issues, raising immediate concerns for enterprises relying on these systems.
Patching and Security Updates
First identified in late June 2025, this vulnerability has already prompted Citrix to issue patches for various versions of its software. Organizations using the following versions should ensure they update promptly:
- NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46
- NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19
- NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP
As of June 30, 2025, CVE-2025-6543 has been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, highlighting its urgent status. Another related vulnerability, CVE-2025-5777, also received attention recently, with a CVSS score of 9.3.
Indicators of Compromise
The NCSC-NL has indicated that the exploitation of CVE-2025-6543 appears to be the work of a skilled threat actor. Disturbingly, this vulnerability has reportedly been exploited as a zero-day since early May 2025—almost two months before its public disclosure. Attackers have taken significant steps to erase their tracks, complicating investigations into any compromises.
During ongoing investigations, NCSC-NL uncovered malicious web shells on affected Citrix devices. A web shell is a type of rogue code that allows an attacker to gain unauthorized remote access to the system, often by exploiting vulnerabilities like the one in question.
Mitigation Strategies for Organizations
To mitigate the risks associated with CVE-2025-6543, the NCSC-NL recommends that organizations implement the latest updates and immediately terminate any permanent or active connections by executing the following commands:
- kill icaconnection -all
- kill pcoipConnection -all
- kill aaa session -all
- kill rdp connection -all
- clear lb persistentSessions
Additionally, organizations can utilize a shell script provided by NCSC-NL to search for indicators of compromise linked to this vulnerability.
Key Signs of Potential Exploitation
NCSC-NL urges organizations to be vigilant for files with unusual .php extensions within the Citrix NetScaler system folders, as these may suggest malicious activity. Monitoring for newly created accounts—particularly those with escalated privileges—can also serve as a critical measure in identifying potential breaches.
