Citrix NetScaler vulnerability CVE-2025-6543 actively exploited in crucial industries

The Dutch National Cyber Security Centre (NCSC-NL) has issued a warning regarding cyber attacks that exploit a recently disclosed critical security vulnerability affecting Citrix NetScaler ADC products. This vulnerability, identified as CVE-2025-6543, has a CVSS score of 9.2 and can lead to unintended control flow and denial-of-service (DoS) when the devices are configured as a Gateway or AAA virtual server. NCSC-NL reported that the exploitation of this flaw has targeted several critical organisations in the Netherlands, with investigations ongoing to assess the extent of the impact. The vulnerability was first disclosed in late June 2025, and patches have been released for various versions of NetScaler ADC and NetScaler Gateway. As of June 30, 2025, CVE-2025-6543 has been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.

NCSC-NL described the exploitation as likely the work of a sophisticated threat actor, noting that the vulnerability had been exploited as a zero-day since early May 2025, nearly two months before its public disclosure. During the investigation, malicious web shells were discovered on Citrix devices, indicating remote access by attackers. To mitigate risks associated with CVE-2025-6543, organisations are advised to apply the latest updates and terminate active sessions using specific commands. Additionally, NCSC-NL has provided a shell script to help identify indicators of compromise linked to this vulnerability. The agency cautioned that files with unusual .php extensions in Citrix NetScaler system folders may signal abuse, and organisations should monitor for newly created accounts, particularly those with elevated privileges.