Attackers are exploiting a Citrix NetScaler vulnerability to breach critical organizations, notably in the Netherlands, but most likely in other countries as well.
The Netherlands’ National Cyber Security Centre (NCSC) has tracked vulnerabilities caused by a memory overflow bug that allows threat actors to launch “sophisticated” remote code execution (RCE) and distributed denial of service (DDoS) attacks.
The main concern is the arbitrary code execution vulnerability, which the NCSC identified in a number of compromises, noted Johannes Ullrich, dean of research at the SANS Institute. While the NCSC observed these attacks locally, “there is nothing special about the devices in the Netherlands,” he said. “Any vulnerable device will likely see the same or similar attacks.”
‘Massively concerning’ vulnerability identified 6-plus weeks ago
The vulnerability in Citrix system devices (CVE-2025-6543) is believed to have been exploited since at least early May. The company released a patch on June 25, identifying the following vulnerable NetScaler versions:
14.1 before 14.1-47.46
13.1 before 13.1-59.19
13.1-FIPS and 13.1-NDcPP before 13.1-37.236
12.1 and 13.0, which are end-of-life (EOL)
NCSC has been investigating exploits of this vulnerability and two others (CVE-2025-5349, CVE-2025-5777), discovering malicious web shells in devices, or pieces of code placed by attackers to gain remote access to a system.
The NCSC identifies the attacks as the work of “one or more actors using sophisticated methods.” The vulnerability was exploited as zero-day, before it was publicly disclosed, and traces were “actively erased” to conceal compromise. The agency says there is still “considerable uncertainty” about which organizations have been compromised, or whether the threat actors are still active.
“What it means, if it’s not patched, is that hackers can actually make the device crash, resulting in a DoS attack,” explained Erik Avakian, a technical counselor at Info-Tech Research Group. This can prevent the device from running and prevent services from performing as they would normally. “If this type of denial of service happens, nobody can use your VPN, remote applications, or other services it protects.”
On top of that, the vulnerability could allow hackers to run their own code on an impacted NetScaler box. A successful RCE compromise could give hackers the ability to install backdoors, steal data, create fake user accounts, or even use the device itself to attack others, Avakian explained.
“Basically, it’s like having a security guard at your front gate get knocked out cold and then be replaced with an impostor wearing their uniform,” he said.
Patching isn’t enough
Both the NCSC and security experts note that patching alone won’t solve the problem.
“These scripts can be used to provide an attacker with full access to the device, and they may survive patching,” said SANS’ Ullrich. “If organizations just patch and move on, they may miss the fact that the device is compromised and can still be accessed by the attacker.”
This has been a recurring theme lately, he noted; for instance, SonicWall devices were recently easily re-compromised after being patched.
“You must assume compromise if an exposed, unpatched device in your organization was not patched before exploitation started,” Ullrich said.
The NCSC published a script, available on its GitHub page, to help enterprises identify compromised devices and associated risks. Enterprises should update their appliances to the latest security updates: NetScaler ADC and NetScaler Gateway 14.1 version 14.1-47.46 or later, 13.1-59.19 or later, and ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236 or later.
The agency then recommends ending any persistent and active sessions with the following commands:
kill icaconnection -all
kill pcoipConnection -all
kill aaa session -all
kill rdp connection -all
clear lb persistentSessions
Beyond that, it advises implementing “defense-in-depth” measures with multiple levels of security controls. Organizations should also perform investigations if they discover indicators of compromise (IoCs).
“In terms of why others outside the Netherlands should care, this isn’t the first national canary to die in this vulnerable coal mine,” said David Shipley of Beauceron Security. He pointed out that the US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to their known exploited vulnerabilities (KEV) catalog at the end of June, and gave federal agencies one day to get it fixed.
“That it’s still not being patched is massively concerning, considering Citrix had patches and an advisory out on June 25,” he said. “Not acting on this in critical infrastructure looks an awful lot like negligence at this point… or the equivalent of hanging a sign on your website that says ‘Come Pwn Me.’”
NetScaler ‘both a bouncer and a traffic controller’
Info-Tech’s Avakian pointed out that NetScaler is a popular product used worldwide by banks, hospitals, governments, law firms, and “pretty much any type of industry. It sits in front of applications and remote access tools in the environment and serves both as a bouncer and traffic controller for apps, handling who gets in, who can log in remotely, and how traffic flows.”
Now that the flaw is public, hackers will likely find targets to exploit using automated scans to find unpatched devices, he pointed out.
Organizations should check system inventories for vulnerable versions and patch any impacted systems immediately, he advised. As NCSC suggests, it’s also critical to terminate any current sessions on the devices. “This means kicking everyone out and forcing a logoff for all users and sessions” which can shut down attackers’ footholds.
IT departments should also hunt for IoCs, strange files, unknown accounts, or unusual logins.
Long-term, speedy patching and ongoing monitoring are key, as are incremental improvements and changes to incident response plans, playbooks, and control processes, Avakian noted. Document and rehearse “exactly what to do” when systems must be patched quickly, carry out cyber exercises regularly and stay informed on the threat landscape, he added.
“The bottom line here is that this isn’t just a localized issue,” said Avakian. “I’d put it in the category of what is characteristically a global internet-facing device problem. The fact that attackers already used it in the Netherlands proves it’s real.”
No Responses