A sophisticated cyber threat actor exploited a critical Citrix NetScaler vulnerability for nearly two months before its discovery, successfully breaching several Dutch organizations, including the country's Public Prosecution Service, according to new intelligence from the Netherlands' National Cyber Security Centre (NCSC-NL).
The zero-day attack campaign leveraged CVE-2025-6543, a memory overflow vulnerability affecting NetScaler ADC (Application Delivery Controller) and Gateway devices. The flaw can trigger "unintended control flow and Denial of Service" when these systems are configured as Gateway or AAA virtual servers—components that millions of organizations rely on for secure remote access and application delivery.
Dutch cybersecurity officials revealed that attackers began exploiting the vulnerability in early May 2025, operating undetected until mid-July when NCSC-NL discovered the compromise on July 16th. Citrix didn't release patches until June 25, confirming at the time that "exploits of CVE-2025-6543 on unmitigated appliances have been observed."
"The NCSC identifies the attacks as the work of one or more actors using sophisticated methods," officials stated, emphasizing that the threat actors "actively erased traces to conceal the compromise at the affected organizations," making forensic investigation extremely challenging.
The discovery coincides with a dramatic surge in attacks targeting another NetScaler flaw. FortiGuard Labs detected over 6,000 exploitation attempts since late July targeting CVE-2025-5777 (dubbed "CitrixBleed 2"), with attackers primarily focusing on "high-value sectors such as technology, banking, healthcare, and education" across the US, Australia, Germany, and the UK.
The Shadowserver Foundation warns that "several thousand unpatched Citrix NetScaler devices likely vulnerable to CVE-2025-5777 and CVE-2025-6543" remain exposed globally, creating an attractive attack surface for cybercriminals.
Critical Response Required
NCSC-NL emphasizes that simply patching the vulnerability isn't sufficient. Organizations must also reset established sessions and implement comprehensive incident response procedures. "Updating systems is not sufficient to eliminate the risk of exploitation," officials warned, noting that attackers can maintain persistent access even after patches are applied.
The agency is developing an updated script to help organizations detect indicators of compromise and urges any organization discovering signs of breach to contact their national cybersecurity incident response team immediately.