The Dutch National Cyber Security Centre (NCSC-NL) has issued an urgent warning about sophisticated cyberattacks targeting critical infrastructure through a zero-day vulnerability in Citrix NetScaler devices.
The vulnerability, designated CVE-2025-6543, has been actively exploited since early May 2025, successfully compromising several critical organizations across the Netherlands.
Citrix NetScaler ADC and Gateway systems serve as crucial network infrastructure components, functioning as load balancers and secure remote access points for corporate environments.
These devices enable employees to work remotely by providing secure access to internal networks and applications.
The compromised systems represent a significant security breach, as attackers gained access to the perimeter defenses that organizations rely upon to protect their internal networks.
Nationaal Cyber Security Centrum (NCSC-NL) analysts identified the malicious activity on July 16, 2025, discovering evidence of active exploitation across multiple Dutch organizations.
The investigation revealed that threat actors had been leveraging this previously unknown vulnerability for months before Citrix released patches on June 25, 2025.
This timeline confirms the attacks as zero-day exploits, representing one of the most sophisticated threats observed by Dutch cybersecurity authorities.
The attackers demonstrated advanced capabilities by actively erasing forensic traces, making investigation and attribution extremely challenging.
This deliberate evidence destruction suggests the involvement of highly skilled threat actors with significant resources and operational security awareness.
Advanced Persistence and Evasion Mechanisms
The exploitation technique involves deploying malicious web shells on compromised NetScaler devices, providing persistent remote access even after initial vulnerability patches are applied.
NCSC researchers discovered that attackers placed PHP files with suspicious characteristics in system directories, often using duplicate filenames with different extensions to avoid detection.
Organizations can detect potential compromise by examining system folders for anomalous PHP files with unusual creation dates or duplicate names.
The NCSC has released detection scripts on their GitHub repository to help identify Indicators of Compromise (IOCs).
kill icaconnection -all
kill pcoipConnection -all
kill aaa session -all
kill rdp connection -all
clear lb persistentSessionsThese commands should be executed after applying security updates to terminate persistent sessions that attackers might exploit.
The NCSC emphasizes that patching alone is insufficient, as compromised systems may retain attacker access, requiring comprehensive forensic investigation and remediation efforts.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link
