Dutch NCSC warns CVE-2025-6543 Citrix bug, a memory overflow flaw, is being exploited to breach critical organizations in the Netherlands.
The Dutch NCSC warns that the critical Citrix NetScaler flaw CVE-2025-6543 has been exploited to breach critical organizations in the Netherlands. Dutch NCSC experts pointed out that CVE-2025-6543 was exploited for remote code execution. Threat actors used the flaw to compromise multiple entities and erase evidence to hide the intrusions.
CVE-2025-6543 (CVSS score of 9.2) is a memory overflow vulnerability in NetScaler ADC and NetScaler Gateway when configured as a Gateway (e.g., VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
“Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server” reads the description of the flaw.
It can lead to unintended control flow and potentially cause a Denial of Service (DoS), disrupting service availability.
The flaw impacts the following supported versions of NetScaler ADC and NetScaler Gateway:
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.19
- NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.236-FIPS and NDcPP
- NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.46
At the end of June, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw CVE-2025-6543 to its Known Exploited Vulnerabilities (KEV) catalog.
“The NCSC has determined that several critical organizations in the Netherlands have been successfully attacked via a vulnerability with the characteristic CVE-2025-6543 in Citrix NetScaler.” reads the advisory published by the NCSC. “The NCSC identifies the attacks as the work of one or more actors using sophisticated methods. For example, the vulnerability was exploited as a zero-day vulnerability, and traces were actively erased to conceal the compromise at the affected organizations. The investigation is ongoing, but it can now be concluded that perhaps not all questions about this digital attack can be answered.”
NCSC says CVE-2025-6543 was exploited as a zero-day since early May. The Dutch Public Prosecution Service was hit, suffering major disruption until early August.
The NCSC urges organizations to increase their security posture by implementing defense-in-depth management measures. The agency has also released a detection script on GitHub that can scan devices for suspicious files.
“If Indicators of Compromise (IOCs) are found for this specific attack, further investigation is needed to determine whether a compromise has actually occurred. In that case, please contact cert@ncsc.nl for further assistance.” concludes the Dutch agency.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CVE-2025-6543)
