A critical zero-day vulnerability in Citrix NetScaler products, identified as CVE-2025-6543, has been actively exploited by threat actors since at least May 2025, months before a patch was made available.
While Citrix initially downplayed the flaw as a “memory overflow vulnerability leading to unintended control flow and Denial of Service,” it has since been revealed to allow for unauthenticated remote code execution (RCE), leading to widespread compromise of government and legal services worldwide.
In late June 2025, Citrix released a patch for CVE-2025-6543. However, by that time, attackers had already been leveraging the vulnerability for weeks.
The exploit was used to infiltrate NetScaler remote access systems, deploy webshells to ensure persistent access even after patching, and steal credentials.
Evidence suggests that Citrix was aware of the severity and the ongoing exploitation but failed to disclose the full extent of the threat to its customers, Kevin Beaumont said.
The company provided a script to check for compromise only upon request and under restrictive conditions, without fully explaining the situation or the script’s limitations.
The Dutch National Cyber Security Centre (NCSC) has played a pivotal role in exposing the true nature of the attacks. Their investigation confirmed that the vulnerability was exploited as a zero-day and that attackers actively covered their tracks, making forensic analysis challenging.
The NCSC’s report, released in August 2025, stated that “several critical organizations within the Netherlands have been successfully attacked” and that the vulnerability was abused since at least early May.
How the Exploit Works
The same sophisticated threat actor is also believed to be behind the exploitation of another zero-day, CVE-2025–5777, also known as CitrixBleed 2, which was used to steal user sessions.
Investigations are ongoing to determine if this actor is also responsible for exploiting a more recent vulnerability, CVE-2025-7775.
The CVE-2025–6543 vulnerability allows an attacker to overwrite system memory by supplying a malicious client certificate to the /cgi/api/login endpoint on a vulnerable NetScaler device.
By sending hundreds of these requests, an attacker can overwrite enough memory to execute arbitrary code on the system. This method gives them a foothold in the network, which they have used to move laterally into Active Directory environments by misusing stolen LDAP service account credentials.
Security professionals urge all organizations using internet-facing Citrix NetScaler devices to take immediate action.
System administrators should check for signs of compromise, which include looking for large POST requests to /cgi/api/login in web access logs, often in quick succession.
A corresponding NetScaler log error code of 1245184, indicating an invalid client certificate, is a strong indicator of an exploitation attempt.
The NCSC has released scripts on GitHub to help organizations check for compromise on live hosts and in coredump files.
If a system is believed to be compromised, the recommended steps are:
- Immediately take the NetScaler device offline.
- Image the system for forensic analysis.
- Change the LDAP service account credentials to prevent lateral movement.
- Deploy a new, patched NetScaler instance with fresh credentials.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-6543 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for organizations to apply patches and hunt for signs of malicious activity.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
