Citrix 0-Day Flaw Under Active Exploitation Since May

Security researcher Kevin Beaumont has revealed alarming details about CVE-2025-6543, a critical Citrix NetScaler vulnerability that was actively exploited as a zero-day attack for months before the company issued patches.

What Citrix initially downplayed as a simple “denial of service” vulnerability has proven to be a sophisticated remote code execution flaw that compromised government and legal services worldwide.

Zero-Day Campaign Hits Global Infrastructure

The vulnerability, which allows attackers to achieve remote code execution through memory overflow attacks, has been under active exploitation since at least early May 2025, according to investigations by NCSC Netherlands.

Citrix only released patches on June 25, 2025, meaning threat actors had months to exploit unpatched systems before the vulnerability became public knowledge.

Key attack characteristics include:

• Malicious client certificates sent to NetScaler endpoint /cgi/api/login through hundreds of POST requests.
• Memory overflow attacks designed to overwrite memory chunks and execute arbitrary code.
• Deployment of persistent webshells and backdoors that remain active even after patching.
• Active erasure of attack traces to complicate forensic investigations.
• Exploitation of multiple Citrix vulnerabilities simultaneously, including CVE-2025-5777 (CitrixBleed 2).

The attack methodology involves sending malicious client certificates to the NetScaler endpoint /cgi/api/login through hundreds of POST requests designed to overwrite memory chunks and execute arbitrary code.

What makes this particularly concerning is that attackers have been deploying persistent webshells and backdoors that remain active even after patching, ensuring continued access to compromised networks.

NCSC Netherlands reported that “several critical organizations within the Netherlands have been successfully attacked,” with forensic investigations revealing that attackers actively erased traces of their activity to complicate incident response efforts.

The same threat actors appear to be exploiting multiple Citrix vulnerabilities simultaneously, including CVE-2025-5777 (CitrixBleed 2) to steal user sessions and bypass multi-factor authentication.

Widespread Impact, Weak Response

The scope of this campaign extends far beyond initial estimates, with government agencies, legal services, and critical infrastructure organizations worldwide falling victim to these attacks.

Compromised systems have been used as launching points for lateral movement into Active Directory environments, with attackers misusing LDAP service account credentials to expand their network access.

Impact assessment reveals:

• Government agencies, legal services, and critical infrastructure organizations compromised worldwide.
• Lateral movement into Active Directory environments using stolen LDAP service account credentials.
• Internet-facing NetScaler devices decreased by half since late 2023 due to security concerns.
• Customers increasingly relying on government agencies rather than Citrix for threat intelligence.
• Restrictive conditions placed on customers requesting detection scripts from Citrix.

Citrix’s response to the crisis has drawn sharp criticism from security experts. The company provided customers with detection scripts only upon request and under restrictive conditions, while failing to communicate the true severity and scope of the vulnerability.

This lack of transparency has left customers unable to properly assess their compromise status or implement adequate defensive measures.

Security telemetry from Shodan indicates that internet-facing NetScaler devices have decreased by half since late 2023, suggesting that organizations are abandoning the platform due to ongoing security concerns.

The situation has become so problematic that customers are increasingly relying on government cybersecurity agencies and independent researchers rather than Citrix itself for accurate threat intelligence.

Organizations running Citrix NetScaler systems need to take immediate action to protect their infrastructure.

Security experts recommend checking web access logs for suspicious POST requests to /cgi/api/login endpoints, particularly those accompanied by error code 1245184, which indicates invalid client certificates.

Critical response measures include:

• Check web access logs for suspicious POST requests to /cgi/api/login endpoints.
• Look for error code 1245184 indicating invalid client certificates in NetScaler logs.
• Power down affected NetScaler devices immediately if compromise is suspected.
• Conduct forensic imaging using NCSC Netherlands detection scripts available on GitHub.
• Change all associated LDAP service account credentials.
• Deploy replacement systems with fresh credentials rather than attempting repairs.

The NCSC Netherlands has published comprehensive detection scripts and forensic tools on GitHub to help organizations identify compromise indicators and conduct proper incident response.

Organizations that discover signs of exploitation should immediately power down affected NetScaler devices, conduct forensic imaging, change all associated LDAP service account credentials, and deploy replacement systems with fresh credentials.

The crisis highlights broader systemic issues with NetScaler security, as the platform has suffered multiple zero-day exploits in recent months.

With threat actors “running rings around the product on a regular basis” and Citrix failing to provide adequate transparency, organizations may need to consider alternative remote access solutions to protect their critical infrastructure from ongoing attacks.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!