The Netherlands’ National Cyber Security Centre (NCSC) has issued urgent warnings about sophisticated cyberattacks exploiting a critical zero-day vulnerability in Citrix NetScaler systems, identified as CVE-2025-6543. This vulnerability has been actively exploited to breach multiple critical organizations across the Netherlands since at least early May 2025.
Vulnerability Details
CVE-2025-6543 is a memory overflow vulnerability that enables unintended control flow and denial of service in NetScaler ADC (Application Delivery Controller) and NetScaler Gateway products when configured as Gateway or AAA virtual servers. While initially described as a denial of service issue, security researchers have confirmed that attackers successfully exploited it to achieve remote code execution.
The vulnerability has received a CVSS score of 9.2 (Critical), indicating that no privileges or user interaction are required for exploitation, with high impact on confidentiality, integrity, and availability. Citrix published patches for the vulnerability on June 25, 2025, but exploitation predated this disclosure, classifying it as a zero-day attack.
Impact on Dutch Critical Infrastructure
The NCSC’s investigation has revealed that critical organizations in the Netherlands have been compromised through this vulnerability. One prominent victim was the Dutch Public Prosecution Service (OM), which had to disconnect from the internet on July 17, 2025, following NCSC alerts about potential exploitation of their Citrix NetScaler systems. The organization may remain disrupted for several more weeks as they conduct thorough forensic analysis.
Sophisticated Attack Methods
Security researchers have identified several concerning aspects of these attacks:
Advanced Evasion Techniques
Attackers employed active trace erasure to obscure their activities, deliberately wiping logs and other indicators to evade detection. This sophisticated approach has made forensic analysis particularly challenging and created significant uncertainty about the full scope of compromises.
Persistent Access Through Web Shells
Despite patches being available, the NCSC emphasizes that simply updating systems is insufficient, as attackers may retain persistent access through malicious web shells. These web shells provide remote control over compromised devices and allow attackers to maintain backdoor access even after patches are applied.
Timeline of Exploitation
May 2025: Initial exploitation begins (zero-day period)
June 25, 2025: Citrix releases patches and public disclosure
June 30, 2025: CISA adds CVE-2025-6543 to Known Exploited Vulnerabilities catalog
July-August 2025: Continued detection and investigation of breaches
NCSC Recommendations
The Dutch NCSC strongly recommends organizations adopt a defense-in-depth strategy incorporating:
- Network segmentation
- Multi-factor authentication
- Continuous monitoring for anomalous behavior
- Regular forensic audits
- Thorough internal investigations even if patches have been applied
Organizations discovering indicators of compromise should perform detailed compromise assessments and contact the NCSC’s CERT team for assistance. The NCSC continues sharing indicators of compromise (IOCs) with affected parties and security partners to aid in identifying infections.
