The Netscaler vulnerability (CVE-2025-6543) was exploited as a zero-day threat for almost two months.

FortiGuard Labs has reported a significant increase in exploitation attempts targeting CitrixBleed 2, a critical buffer over-read flaw (CVE-2025-5777) affecting Citrix NetScaler ADC (Application Delivery Controller) and Gateway devices. Since July 28, 2025, over 6,000 exploitation attempts have been detected, primarily in the United States, Australia, Germany, and the United Kingdom. Adversaries are focusing on high-value sectors such as technology, banking, healthcare, and education. Concurrently, the Dutch National Cyber Security Centre (NCSC-NL) has confirmed that another vulnerability in NetScaler ADC (CVE-2025-6543) has been exploited as a zero-day vulnerability since early May 2025, targeting critical organisations in the Netherlands. This vulnerability was patched and disclosed by Citrix in late June 2025.

When Citrix released patches for CVE-2025-6543 on June 25, it confirmed that exploits on unmitigated appliances had been observed, although the specific intentions of the attackers were not disclosed. The flaw is described as a memory overflow vulnerability that can lead to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway or AAA virtual server. The NCSC-NL has indicated that the attacks are sophisticated, with attackers erasing traces to complicate forensic investigations. While Citrix has released updates to address the vulnerabilities, the NCSC-NL emphasised that merely updating systems is insufficient to eliminate exploitation risks; resetting established sessions is also necessary. The NCSC-NL is actively investigating these vulnerabilities and is collaborating with affected organisations and incident response teams to uncover new indicators of compromise. They are also developing a script to assist organisations in checking their systems for these indicators and have advised those who discover them to contact their national cyber security incident response entity (CSIRT) for further assistance. Although the NCSC-NL has not identified all affected entities, it has been confirmed that the country’s Public Prosecution Service was recently breached through Citrix systems. The Shadowserver Foundation has reported ongoing exploitation attempts related to both vulnerabilities, noting that several thousand unpatched Citrix NetScaler devices remain in operation. 

Categories: Cybersecurity Threats, Vulnerability Exploitation, Incident Response 

Tags: CitrixBleed 2, CVE-2025-5777, CVE-2025-6543, NetScaler ADC, Exploitation Attempts, Vulnerability, Denial of Service, Cyber Security, Incident Response, Indicators of Compromise