The Netherlands’ National Cyber Security Centre (NCSC) warned that a critical Citrix NetScaler vulnerability tracked as CVE-2025-6543 was exploited to breach “critical organizations” in the country. The flaw is a memory overflow bug that allows unintended control flow or a denial of service state on impacted devices, Citrix said in its advisory.
The Citrix advisory describes the vulnerability as: “Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server” (CVE-2025-6543).
Citrix issued a bulletin on June 25, 2025 warning that the following versions were vulnerable to ongoing attacks:
- 14.1 before 14.1-47.46
- 13.1 before 13.1-59.19
- 13.1-FIPS and 13.1-NDcPP before 13.1-37.236
- 12.1 and 13.0 – End-of-Life but still vulnerable (upgrade to a newer release recommended)
While the flaw was initially thought to be exploited for denial of service, the NCSC warning indicates that attackers used it to achieve remote code execution. The agency said hackers have breached multiple entities in the Netherlands and then wiped traces to conceal intrusions. The NCSC noted the attacks were conducted as zero days and had been ongoing since at least early May, nearly two months before Citrix published its bulletin and made patches available.
Although the specific organizations affected were not named by the NCSC, the Openbaar Ministerie (OM), the Netherlands’ Public Prosecution Service, disclosed a compromise on July 18 after receiving an NCSC alert. OM described operational disruption and a gradual return to full online operations, with mail and other services coming back online in the following weeks.
To address the risk from CVE-2025-6543, organizations are urged to upgrade to NetScaler ADC and NetScaler Gateway 14.1 version 14.1-47.46 and later, version 13.1-59.19 and later, and ADC 13.1-FIPS and 13.1-NDcPP version 13.1-37.236 and later. After updating, administrators should terminate all active sessions with the following commands:
kill icaconnection -all
kill pcoipConnection -all
kill aaa session -all
kill rdp connection -all
clear lb persistentSessionsThe same mitigation approach was referenced for the Citrix Bleed 2 vulnerability, tracked as CVE-2025-5777, though it remains unclear whether that flaw was exploited in these attacks or if the same update process covered both issues. The NCSC also urged IT teams to look for signs of compromise such as atypical file creation dates, duplicate file names with different extensions, and the absence of PHP files in folders.
In support of defenders, the NCSC released a script on GitHub that can scan devices for unusual PHP and XHTML files, as well as other indicators of compromise. The guidance is complemented by a public-facing reference image and report titled Picus Blue Report 2025.
Related coverage and official notices include the NCSC alert and OM disclosures on July 18 disclosure, followed by updates on operational disruption and online access restored via e-mail.
For context, developers and security teams are advised to monitor Citrix advisories related to CVE-2025-6543 and to consult the NCSC guidance for the latest remediation steps.