Citrix NetScaler under fire: Dutch NCSC confirms live exploits of CVE-2025-6543

The Dutch National Cyber Security Centre (NCSC-NL) says a critical Citrix NetScaler flaw, CVE-2025-6543 (CVSS 9.2), is being actively exploited against organisations in the Netherlands, including critical sectors. The bug affects NetScaler ADC/Gateway when configured as a Gateway or AAA virtual server. Evidence shows it was used as a zero-day since early May 2025, with attackers dropping web shells and attempting to erase traces. Citrix issued fixes in late June (14.1-47.46, 13.1-59.19 and FIPS/NDcPP variants), and the flaw was added to CISA’s KEV list on 30 June. NCSC-NL advises patching immediately, terminating active sessions, and using its hunt script to check for compromise indicators such as unexpected .php files and newly created privileged accounts.

If your NetScaler has been feeling “a bit peaky,” you’re not imagining it. The Dutch NCSC reports criminals are actively abusing CVE-2025-6543—a critical bug in Citrix NetScaler ADC/Gateway—to break into real organisations, some in critical sectors. Think web shells, erased logs, and a general mess to clean up. Lovely.

What’s the issue?
The flaw (CVSS 9.2) hits devices acting as a Gateway/AAA virtual server (VPN, ICA Proxy, CVPN, RDP Proxy). Attackers have been exploiting it since early May, weeks before public disclosure—classic zero-day behaviour. Investigators found malicious .php web shells planted on devices.

Are there fixes?
Yes—Citrix shipped patches in late June (e.g., 14.1-47.46, 13.1-59.19, FIPS/NDcPP variants). CISA also put the bug on its Known Exploited list on 30 June. Translation: patch now, not after the next change-advisory tea break.

What should I do today?
1. Update to the fixed builds.
2. Kill active sessions (VPN/AAA/RDP/LB persistence) to boot out any freeloaders.
3. Hunt for IOCs—NCSC-NL has shared a script; look for unexpected .php files and new privileged accounts. Then review logs as if your audit depends on it—because it does.
Bottom line
This is not a paper cut; it’s an “apply-patch-and-check-everything” moment. If your NetScaler faces the internet, treat CVE-2025-6543 as priority one.