A critical zero-day vulnerability in Citrix NetScaler products, identified as CVE-2025-6543, has been actively exploited by threat actors since at least May 2025, months before a patch was made available. While Citrix initially described the flaw as a “memory overflow vulnerability leading to unintended control flow and Denial of Service,” it has been revealed that the vulnerability allows unauthenticated remote code execution (RCE), resulting in widespread compromises across government and legal services worldwide. Citrix issued a patch for CVE-2025-6543 in late June 2025. However, attackers had already been exploiting the vulnerability for weeks before the patch's release. Attackers used the exploit to infiltrate NetScaler remote access systems, deploy webshells to maintain persistent access even after patching, and steal credentials. Evidence suggests that Citrix was aware of the exploitation severity but did not fully disclose it to customers. The company only provided a script to detect compromise upon request under restrictive conditions, without adequate guidance on its limitations. The Dutch National Cyber Security Centre (NCSC) played a key role in uncovering the true nature of these attacks. Their August 2025 report confirmed that several critical organizations in the Netherlands were successfully attacked using this zero-day since at least early May and that attackers actively covered their tracks, complicating forensic analysis.
How the Exploit Works
The same advanced threat actor is believed to be responsible for another Citrix zero-day, CVE-2025–5777, known as CitrixBleed 2, used to steal user sessions. Investigations are ongoing regarding a more recent vulnerability, CVE-2025-7775. CVE-2025-6543 allows attackers to overwrite system memory on vulnerable NetScaler devices by sending malicious client certificates to the
/cgi/api/login endpoint. By flooding the system with hundreds of such requests, they gain the ability to execute arbitrary code. This foothold enables lateral movement into Active Directory environments using stolen LDAP service account credentials. Security experts urge organizations with internet-facing Citrix NetScaler devices to immediately check for indicators of compromise, including large POST requests to
/cgi/api/login occurring in rapid succession and NetScaler log error code 1245184 (invalid client certificate). The NCSC has published detection scripts on GitHub to assist organizations in analyzing live hosts and coredump files for compromise. If compromise is detected, recommended actions include:
- Immediately take the affected NetScaler device offline.
- Image the system for forensic investigation.
- Change LDAP service account credentials to prevent lateral movement.
- Deploy a new patched NetScaler device with fresh credentials.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-6543 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the critical need for patching and threat hunting. For the original article, visit
Citrix Netscaler Devices Vulnerable.
