Unpatched Critizens Critical Zero-Day Vulnerability in Citrix Software Leaves Numerous Organizations Vulnerable Since May
In a significant cybersecurity development, a critical zero-day vulnerability, CVE-2025-6543, in Citrix NetScaler products has been actively exploited since May 2025. This vulnerability allows for unauthenticated remote code execution (RCE), leading to widespread compromise of government and legal services worldwide.
The Dutch National Cyber Security Centre (NCSC-NL) has confirmed active exploitation targeting critical organizations in the Netherlands since at least early May 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2025-6543 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for organizations to apply patches and hunt for signs of malicious activity.
The vulnerability was initially downplayed by Citrix as a "memory overflow vulnerability leading to unintended control flow and Denial of Service." However, evidence suggests that the company was aware of the severity and ongoing exploitation but failed to disclose the full extent of the threat to its customers.
Attackers have exploited this vulnerability by supplying a malicious client certificate, which allows them to overwrite system memory on a vulnerable NetScaler device. This, in turn, enables them to execute arbitrary code on the system, providing a foothold in the network.
If a system is believed to be compromised, the recommended steps are to take the NetScaler device offline, image the system for forensic analysis, change the LDAP service account credentials, deploy a new, patched NetScaler instance with fresh credentials. System administrators should also check for signs of compromise, including large POST requests in web access logs and the NetScaler log error code 1244184.
The NCSC has played a pivotal role in exposing the true nature of the attacks. They have released scripts on GitHub to help organizations check for compromise on live hosts and in coredump files. Security professionals urge organizations using internet-facing Citrix NetScaler devices to take immediate action.
Another zero-day vulnerability, CVE-2025-5777, also known as CitrixBleed 2, has been exploited by the same threat actor for stealing user sessions. The NCSC's report, released in August 2025, stated that several critical organizations within the Netherlands have been successfully attacked.
Citrix released a patch for CVE-2025-6543 in late June 2025. It is crucial for organizations to apply this patch as soon as possible to protect their systems from this ongoing threat.
