Dutch NCSC Warns of Critical Citrix NetScaler Zero-Day Breach in Netherlands
The Dutch National Cyber Security Centre (NCSC) has issued a critical alert regarding a zero-day vulnerability in Citrix NetScaler, which has been exploited to breach several critical organizations in the Netherlands. The vulnerability, identified as CVE-2025-6543, is a memory overflow flaw that can lead to remote code execution, allowing threat actors to compromise multiple entities and erase evidence to hide their intrusions.
Citrix experts have pointed out that this critical bug has been actively exploited since early May, with the Dutch Public Prosecution Service being one of the organizations affected. The NCSC reported that the organization suffered major disruption until early August, highlighting the severity of the breach.
Understanding the Vulnerability
CVE-2025-6543 is a memory overflow vulnerability in NetScaler ADC and NetScaler Gateway when configured as a Gateway (e.g., VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. According to the description of the flaw, it can lead to unintended control flow and potentially cause a Denial of Service (DoS), disrupting service availability.
The vulnerability impacts supported versions of NetScaler ADC and NetScaler Gateway. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the need for organizations to address this critical vulnerability urgently.
Impact on Organizations
The NCSC warns that several critical organizations in the Netherlands have been successfully attacked via a vulnerability with the characteristic CVE-2025-6543 in Citrix NetScaler. The agency identifies the attacks as the work of one or more actors using sophisticated methods, highlighting the threat posed by this zero-day vulnerability.
Organizations are urged to increase their security posture by implementing defense-in-depth management measures to prevent similar breaches in the future. The Dutch agency has released a detection script on GitHub that can scan devices for suspicious files, helping organizations identify potential vulnerabilities and take corrective action.
What Can Organizations Do?
If Indicators of Compromise (IOCs) are found for this specific attack, further investigation is needed to determine whether a compromise has actually occurred. In such cases, organizations can contact the NCSC at [email protected] for further assistance.
Organizations must take proactive steps to address this critical vulnerability and prevent similar breaches. By staying informed about emerging threats and taking swift action to patch vulnerabilities, organizations can minimize the risk of compromise and protect their sensitive data.
Stay Informed
Follow me on Twitter: @securityaffairs for the latest cybersecurity news and updates. Additionally, you can stay connected with us on Facebook and Mastodon for real-time information on emerging threats and security best practices.