Vulnerabilities in Citrix NetScaler result in severe penetrations of critical infrastructures
Critical Cyberattacks on Dutch Infrastructure via Citrix NetScaler Vulnerabilities
Critical infrastructure organizations in the Netherlands have been successfully breached by hackers exploiting two critical vulnerabilities in Citrix NetScaler products, CVE-2025-6543 and CVE-2025-5777. These attacks started as early as May 2025, before Citrix publicly disclosed and patched the flaws in late June 2025.
The Dutch National Cyber Security Centre (NCSC-NL) confirmed multiple sophisticated cyberattacks targeting Dutch critical infrastructure using CVE-2025-6543, a memory-overflow vulnerability in NetScaler ADC and Gateway, rated critical (CVSS ~9.2–9.3). The attackers used zero-day exploitation with advanced techniques, including erasing forensic evidence to conceal their activity, which complicates breach investigations and limits full visibility into the impact and affected entities.
Malicious webshells—remote access backdoors—were found on compromised Citrix devices, allowing attackers to maintain persistent access even after patches were applied. More than 3,300 NetScaler instances globally are vulnerable to CVE-2025-5777, and over 4,100 are vulnerable to CVE-2025-6543, with active exploitation attempts detected worldwide from sensors like the Shadowserver Foundation.
In an effort to address these vulnerabilities, the Cybersecurity and Infrastructure Security Agency (CISA) has added both NetScaler flaws (CVE-2025-5777 and CVE-2025-6543) to its Known Exploited Vulnerabilities catalog. Chris Butera, the acting executive assistant director for cybersecurity at CISA, is working with Citrix and other partners to assess prevalence and reported incidents.
Butera urges all organizations to reduce their exposure to possible cyberattacks by immediately patching the NetScaler vulnerability if they haven't done so already. He also emphasizes the importance of performing thorough compromise assessments and monitoring for affected organizations, as patching alone may not be sufficient due to the presence of webshells and the difficulty of forensic analysis.
The widespread use of Citrix NetScaler ADC and Gateway systems increases the potential for cyberattacks. Citrix has faced a series of zero-day vulnerabilities over the past few years, including disclosing two such flaws in January 2024. Researchers at Reliaquest previously warned of exploitation in late June, days after Citrix disclosed the second flaw. Experts have been concerned that the NetScaler flaws could lead to a wave of attacks similar to those that followed the 2023 disclosure of the "CitrixBleed" flaw.
The Dutch authorities have released detection tools (scripts on GitHub) to help organizations identify potential compromises and advise continuous monitoring beyond patching. Investigations are ongoing, and full disclosure about all compromised organizations or the threat actor(s) involved remains unclear. Affected organizations are urged to take immediate action to protect themselves from potential attacks and limit the damage caused by these vulnerabilities.
[1] Dutch National Cyber Security Centre (NCSC-NL) advisory [2] CISA Known Exploited Vulnerabilities Catalog [3] NCSC-NL detection tools for compromised organizations [4] Reliaquest warning about NetScaler exploitation [5] Citrix disclosure of CVE-2025-6543
Read also:
- Chicago Sports Network assigns significant task to Mobile TV Group's 56FLEX for broadcasting sports events
- Investigating Various Pacing Speeds for Polling
- Revolutionizing Sports: The Impact of Intelligent Devices Transforming the Athletic Field
- Renewed Alert Regarding the 'Phantom Hacker' Cyber Scam Issued by the FBI
