Critical Citrix 0-Day Vulnerability Exploited Since May, Exposing Global Organizations to Risks

A critical zero-day vulnerability in Citrix NetScaler products, identified as CVE-2025-6543, has been actively exploited by threat actors since at least May 2025, months before a patch was made available. While Citrix initially downplayed the flaw as a “memory overflow vulnerability leading to unintended control flow and Denial of Service,” it has since been revealed to allow for unauthenticated remote code execution (RCE), leading to widespread compromise of government and legal services worldwide. In late June 2025, Citrix released a patch for CVE-2025-6543. However, by that time, attackers had already been leveraging the vulnerability for weeks. The exploit was used to infiltrate NetScaler remote access systems, deploy webshells to ensure persistent access even after patching, and steal credentials. Evidence suggests that Citrix was aware of the severity and the ongoing exploitation but failed to disclose the full extent of the threat to its customers. The Dutch National Cyber Security Centre (NCSC) has played a pivotal role in exposing the true nature of the attacks, confirming that the vulnerability was exploited as a zero-day and that attackers actively covered their tracks, complicating forensic analysis.

The NCSC’s report, released in August 2025, stated that “several critical organizations within the Netherlands have been successfully attacked” and that the vulnerability was abused since at least early May. The CVE-2025-6543 vulnerability allows an attacker to overwrite system memory by supplying a malicious client certificate to the /cgi/api/login endpoint on a vulnerable NetScaler device. By sending hundreds of these requests, an attacker can overwrite enough memory to execute arbitrary code on the system. This method provides a foothold in the network, enabling lateral movement into Active Directory environments by misusing stolen LDAP service account credentials. Security professionals urge all organisations using internet-facing Citrix NetScaler devices to take immediate action. System administrators should check for signs of compromise, including large POST requests to /cgi/api/login in web access logs, often in quick succession. A corresponding NetScaler log error code of 1245184, indicating an invalid client certificate, serves as a strong indicator of an exploitation attempt. 

Categories: Cybersecurity Vulnerabilities, Exploitation Techniques, Incident Response 

Tags: CVE-2025-6543, Citrix, Zero-Day, Vulnerability, Remote Code Execution, Denial of Service, Webshells, Credential Theft, Active Directory, Cyber Security