The Netscaler vulnerability (CVE-2025-6543) was exploited as a zero-day threat for almost two months.
FortiGuard Labs has reported a significant increase in exploitation attempts targeting Citrix Bleed 2, a critical buffer over-read flaw (CVE-2025-5777) affecting Citrix NetScaler ADC (Application Delivery Controller) and Gateway devices. Since July 28, 2025, over 6,000 exploitation attempts have been detected, primarily in the United States, Australia, Germany, and the United Kingdom. Adversaries are focusing on high-value sectors such as technology, banking, healthcare, and education. Concurrently, the Dutch National Cyber Security Centre (NCSC-NL) has confirmed that another vulnerability in NetScaler ADC (CVE-2025-6543), which was patched and disclosed by Citrix in late June 2025, has been exploited as a zero-day vulnerability since early May 2025 in sophisticated, targeted attacks against critical Dutch organisations.
When Citrix released patches for CVE-2025-6543 on June 25, it confirmed that exploits of this vulnerability on unmitigated appliances had been observed, although it did not specify the attackers’ methods. The flaw is described as a memory overflow vulnerability that can lead to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway or AAA virtual server. The NCSC-NL has indicated that the attacks are sophisticated, with attackers erasing traces to complicate forensic investigations. While Citrix has released updates to address the vulnerabilities, the NCSC-NL emphasised that merely updating systems is insufficient to eliminate the risk of exploitation; resetting established sessions is also necessary. The NCSC is actively investigating these vulnerabilities and is collaborating with affected organisations and incident response teams to uncover new indicators of compromise.
Categories: Cybersecurity Threats, Vulnerability Exploitation, Incident Response
Tags: Citrix, Bleed 2, CVE-2025-5777, CVE-2025-6543, NetScaler, Exploitation, Vulnerability, Cyber Security, Denial of Service, Indicators of Compromise