The Dutch National Cyber Security Centre (NCSC) has confirmed that a serious vulnerability in Citrix NetScaler systems, identified as CVE-2025-6543, has been exploited in targeted attacks against multiple critical organizations in the Netherlands. The exploitation began months before the vulnerability was publicly disclosed, and investigations indicate that attackers used advanced methods to evade detection.
Background and Timeline
According to the NCSC, exploitation of CVE-2025-6543 began as early as May 2025, rendering it a zero-day vulnerability at the time. On June 25, Citrix officially disclosed the vulnerability and released a patch; however, signs of compromise were already present in several systems prior to this date.
On July 16, the NCSC identified active exploitation of the vulnerability and launched a wider investigation. Findings have since confirmed that multiple Dutch organizations were affected.
Scope and Technical Details of CVE-2025-6543
The attacks targeted Citrix NetScaler ADC and NetScaler Gateway products. These are widely used to manage secure access to applications and internal networks, including remote work environments. The vulnerability allowed attackers to place malicious web shells on exposed systems, giving them remote control and persistent access even after the vulnerability was patched.
Three vulnerabilities are under investigation:
- CVE-2025-6543 (confirmed exploited)
- CVE-2025-5349
- CVE-2025-5777
The latter two have not been confirmed as exploited in all environments but remain under scrutiny. Patching affected systems does not guarantee removal of the attacker, as access may have already been established.
Attack Methods
The actors behind the attacks used techniques to erase forensic traces from compromised systems. This has made post-incident investigations difficult. In many cases, there is uncertainty about whether the threat actor is still active or what data may have been accessed or exfiltrated.
Indicators of Compromise (IOCs) have been found, but the NCSC notes that each case requires deeper investigation to determine the extent of compromise. Organizations are expected to conduct their forensic analysis if suspicious activity is detected.
Risk and Response
The NCSC states that updating Citrix devices is not enough to remove the threat if a system has already been compromised. The attacker can retain access even after a patch is applied. As such, organizations should not assume that patching closes the incident.
Recommended actions include:
- Conducting full forensic investigations if a compromise is suspected.
- Implementing defense-in-depth security strategies.
- Monitoring for new IOCs related to the Citrix vulnerability.
- Reaching out to [email protected] for technical assistance if compromise is confirmed.
Organizations that have not already done so should apply the security updates provided by Citrix and inspect their systems for signs of exploitation, including unauthorized access or web shells.
Conclusion
The exploitation of CVE-2025-6543 in Citrix NetScaler devices remains an active threat, with investigations continuing in collaboration with affected organizations, security firms, and response teams.
The full scope and impact are still unknown, as is the identity of those responsible, and it is likely that additional systems may have been compromised without detection.
Given the stealth and persistence demonstrated in these attacks, organizations should not assume that patching alone is sufficient and must take further steps to verify the security and integrity of their systems.
