Citrix Vulnerabilities Exploited Since May in Targeted Attacks on Critical Infrastructure

In August 2025, the Netherlands National Cyber Security Center (NCSC) disclosed ongoing exploitation of critical vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway appliances, most notably CVE-2025-6543. The attacks, which began at least in early May 2025, were conducted with advanced tradecraft, leveraging a zero-day vulnerability to compromise multiple critical Dutch organizations. Forensic evidence shows the attackers deployed web shells and erased logs to hinder detection, allowing persistence even after patching.

Severity Level: Critical

Vulnerability Details

• CVEs: CVE-2025-6543, CVE-2025-5349, CVE-2025-5777
• Type: unauthenticated remote code execution
• Impact: Allows remote attackers to execute arbitrary code, deploy web shells, and gain persistent access.
• Affected Versions:
  • NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.46
  • NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.19
  • NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.236-FIPS and NDcPP
• Fixed Versions:
  • NetScaler ADC and NetScaler Gateway 14.1-47.46 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-59.19 and later releases of 13.1
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP
• Zero-Day Exploitation: Active since at least early May 2025 before public disclosure.
• Persistence Risk: Patching does not remove pre-existing backdoors or shells; attackers can re-enter systems.

Threat Overview

1. Initial Access Vector: Unauthenticated RCE via CVE-2025-6543.
2. Payloads: Malicious .php web shells with obfuscation and dual-use naming conventions to blend with legitimate files.
3. Persistence Mechanisms:
   • Newly created admin accounts.
   • Web shells in system directories.
4. Evasion Techniques:
   • Deletion of logs and forensic artifacts.
   • Mimicking legitimate file names and extensions.

Recommendations

1. Immediately patch affected Citrix NetScaler ADC and NetScaler Gateway appliances to the fixed versions.
2. NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and no longer supported. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.
3. After installing the updates, it is recommended to end any persistent and active sessions. This can be done using the following commands:
   • kill icaconnection -all
   • kill pcoipConnection -all
   • kill aaa session -all
   • kill rdp connection -all
   • clear lb persistentSessions
4. Detection:
   • Files with a different .php extension in Citrix NetScaler system folders may indicate exploits. Characteristics of a different PHP file may include: a remarkable creation date, duplicate name of another file with a different file extension, no or few php files in the folder. Users can utilize script on GitHub by NCSC (https://github.com/NCSC-NL/citrix-2025) to check NetScaler ADC and NetScaler Gateway systems for potential compromise by CVE-2025-6543.
   • Check for newly created accounts on the NetScaler, and specifically for accounts with elevated privileges.

Source:

• https://www.bleepingcomputer.com/news/security/netherlands-citrix-netscaler-flaw-cve-2025-6543-exploited-to-breach-orgs/
• https://www.ncsc.nl/actueel/nieuws/2025/07/22/casus-citrix-kwetsbaarheid
• https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.