What’s new: The Netherlands’ National Cyber Security Centre (NCSC) has reported that the Citrix NetScaler vulnerability CVE-2025-6543 has been exploited to breach critical organizations in the country. This memory overflow vulnerability allows for unintended control flow and denial of service on affected devices. The flaw was exploited as a zero-day since at least early May 2025, prior to Citrix’s advisory issued on June 25, 2025.
Who’s affected
Organizations using Citrix NetScaler versions 14.1 before 14.1-47.46, 13.1 before 13.1-59.19, and 13.1-FIPS and 13.1-NDcPP before 13.1-37.236 are at risk. Older versions 12.1 and 13.0 are also vulnerable but no longer supported. The Public Prosecution Service of the Netherlands has confirmed a compromise due to this vulnerability.
What to do
- Upgrade to NetScaler ADC and NetScaler Gateway versions 14.1-47.46 or later, 13.1-59.19 or later, and 13.1-FIPS and 13.1-NDcPP version 13.1-37.236 or later.
- After upgrading, terminate all active sessions using the commands: kill icaconnection -all, kill pcoipConnection -all, kill aaa session -all, kill rdp connection -all, clear lb persistentSessions.
- Check for signs of compromise, such as unusual file creation dates and missing PHP files. Use the NCSC’s GitHub script to scan for unusual files.
