{"id":4347,"date":"2025-08-13T03:11:33","date_gmt":"2025-08-13T03:11:33","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4347"},"modified":"2025-08-13T03:11:33","modified_gmt":"2025-08-13T03:11:33","slug":"citrix-netscaler-flaw-likely-has-global-impact","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4347","title":{"rendered":"Citrix NetScaler flaw likely has global impact"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Attackers are exploiting a Citrix NetScaler vulnerability to breach critical organizations, notably in the Netherlands, but most likely in other countries as well.<\/p>\n

The Netherlands\u2019 National Cyber Security Centre (NCSC) has tracked vulnerabilities<\/a> caused by a memory overflow bug that allows threat actors to launch \u201csophisticated\u201d remote code execution (RCE) and distributed denial of service (DDoS) attacks.<\/p>\n

The main concern is the arbitrary code execution vulnerability, which the NCSC identified in a number of compromises, noted Johannes Ullrich<\/a>, dean of research at the SANS Institute<\/a>. While the NCSC observed these attacks locally, \u201cthere is nothing special about the devices in the Netherlands,\u201d he said. \u201cAny vulnerable device will likely see the same or similar attacks.\u201d<\/p>\n

\u2018Massively concerning\u2019 vulnerability identified 6-plus weeks ago<\/h2>\n

The vulnerability in Citrix system devices (CVE-2025-6543) is believed to have been exploited since at least early May. The company released a patch on June 25, identifying the following vulnerable NetScaler versions:<\/p>\n

14.1 before 14.1-47.46<\/p>\n

13.1 before 13.1-59.19<\/p>\n

13.1-FIPS and 13.1-NDcPP before 13.1-37.236<\/p>\n

12.1 and 13.0, which are end-of-life (EOL)<\/p>\n

NCSC has been investigating exploits of this vulnerability and two others (CVE-2025-5349, CVE-2025-5777), discovering malicious web shells in devices, or pieces of code placed by attackers to gain remote access to a system.<\/p>\n

The NCSC identifies the attacks as the work of \u201cone or more actors using sophisticated methods.\u201d The vulnerability was exploited as zero-day<\/a>, before it was publicly disclosed, and traces were \u201cactively erased\u201d to conceal compromise. The agency says there is still \u201cconsiderable uncertainty\u201d about which organizations have been compromised, or whether the threat actors are still active.<\/p>\n

\u201cWhat it means, if it\u2019s not patched, is that hackers can actually make the device crash, resulting in a DoS attack,\u201d explained Erik Avakian<\/a>, a technical counselor at Info-Tech Research Group<\/a>. This can prevent the device from running and prevent services from performing as they would normally. \u201cIf this type of denial of service happens, nobody can use your VPN, remote applications, or other services it protects.\u201d<\/p>\n

On top of that, the vulnerability could allow hackers to run their own code on an impacted NetScaler box. A successful RCE compromise could give hackers the ability to install backdoors, steal data, create fake user accounts, or even use the device itself to attack others, Avakian explained.<\/p>\n

\u201cBasically, it\u2019s like having a security guard at your front gate get knocked out cold and then be replaced with an impostor wearing their uniform,\u201d he said.<\/p>\n

Patching isn\u2019t enough<\/h2>\n

Both the NCSC and security experts note that patching<\/a> alone won\u2019t solve the problem.<\/p>\n

\u201cThese scripts can be used to provide an attacker with full access to the device, and they may survive patching,\u201d said SANS\u2019 Ullrich. \u201cIf organizations just patch and move on, they may miss the fact that the device is compromised and can still be accessed by the attacker.\u201d<\/p>\n

This has been a recurring theme lately, he noted; for instance, SonicWall devices were recently easily re-compromised after being patched.<\/p>\n

\u201cYou must assume compromise if an exposed, unpatched device in your organization was not patched before exploitation started,\u201d Ullrich said.<\/p>\n

The NCSC published a script, available on its GitHub page<\/a>, to help enterprises identify compromised devices and associated risks. Enterprises should update their appliances to the latest security updates: NetScaler ADC and NetScaler Gateway 14.1 version 14.1-47.46 or later, 13.1-59.19 or later, and ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236 or later.<\/p>\n

The agency then recommends ending any persistent and active sessions with the following commands:<\/p>\n

kill icaconnection -all<\/p>\n

kill pcoipConnection -all<\/p>\n

kill aaa session -all<\/p>\n

kill rdp connection -all<\/p>\n

clear lb persistentSessions<\/p>\n

Beyond that, it advises implementing \u201cdefense-in-depth<\/a>\u201d measures with multiple levels of security controls. Organizations should also perform investigations if they discover indicators of compromise (IoCs).<\/p>\n

\u201cIn terms of why others outside the Netherlands should care, this isn\u2019t the first national canary to die in this vulnerable coal mine,\u201d said David Shipley<\/a> of Beauceron Security<\/a>. He pointed out that the US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to their known exploited vulnerabilities (KEV) catalog at the end of June, and gave federal agencies one day to get it fixed.<\/p>\n

\u201cThat it\u2019s still not being patched is massively concerning, considering Citrix had patches and an advisory out on June 25,\u201d he said. \u201cNot acting on this in critical infrastructure looks an awful lot like negligence at this point\u2026 or the equivalent of hanging a sign on your website that says \u2018Come Pwn Me.\u2019\u201d<\/p>\n

NetScaler \u2018both a bouncer and a traffic controller\u2019<\/h2>\n

Info-Tech\u2019s Avakian pointed out that NetScaler is a popular product used worldwide by banks, hospitals, governments, law firms, and \u201cpretty much any type of industry. It sits in front of applications and remote access tools in the environment and serves both as a bouncer and traffic controller for apps, handling who gets in, who can log in remotely, and how traffic flows.\u201d<\/p>\n

Now that the flaw is public, hackers will likely find targets to exploit using automated scans to find unpatched devices, he pointed out.<\/p>\n

Organizations should check system inventories for vulnerable versions and patch any impacted systems immediately, he advised. As NCSC suggests, it\u2019s also critical to terminate any current sessions on the devices. \u201cThis means kicking everyone out and forcing a logoff for all users and sessions\u201d which can shut down attackers\u2019 footholds.<\/p>\n

IT departments should also hunt for IoCs, strange files, unknown accounts, or unusual logins.<\/p>\n

Long-term, speedy patching and ongoing monitoring are key, as are incremental improvements and changes to incident response plans, playbooks, and control processes, Avakian noted. Document and rehearse \u201cexactly what to do\u201d when systems must be patched quickly, carry out cyber exercises regularly and stay informed on the threat landscape, he added.<\/p>\n

\u201cThe bottom line here is that this isn\u2019t just a localized issue,\u201d said Avakian. \u201cI\u2019d put it in the category of what is characteristically a global internet-facing device problem. The fact that attackers already used it in the Netherlands proves it\u2019s real.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Attackers are exploiting a Citrix NetScaler vulnerability to breach critical organizations, notably in the Netherlands, but most likely in other countries as well. The Netherlands\u2019 National Cyber Security Centre (NCSC) has tracked vulnerabilities caused by a memory overflow bug that allows threat actors to launch \u201csophisticated\u201d remote code execution (RCE) and distributed denial of service […]<\/p>\n","protected":false},"author":0,"featured_media":4348,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4347","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4347"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4347"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4347\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4348"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4347"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4347"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4347"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}