Redazione RHC : 30 August 2025 20:30
A critical zero-day flaw, classified as CVE-2025-6543, has been discovered in Citrix NetScaler systems. This vulnerability has been actively exploited by malicious hackers since May 2025, several months before a fix was made available. Citrix initially reported a simple memory overflow vulnerability that could cause abnormal control flow and denial of service, but it later emerged that the security breach actually allows remote code execution (RCE) without authentication, potentially resulting in a widespread global system compromise.
The bug, tracked as CVE-2025-6543, allows an attacker to overwrite system memory by providing a malicious client certificate to the /cgi/api/login endpoint on a vulnerable NetScaler device. By sending hundreds of these requests, an attacker can overwrite enough memory to execute arbitrary code on the system. This method gave them a foothold in the network, which they used to move laterally into Active Directory environments, abusing stolen LDAP service account credentials.
The company made a test script available to detect compromises, but only upon specific request and under very limited circumstances. However, they did not provide a thorough explanation of the situation or the script’s limitations. Evidence suggests that Citrix was aware of the severity and ongoing exploitation but failed to disclose the true extent of the threat to its customers, Kevin Beaumont said.
Organizations with internet-facing Citrix NetScaler devices are urged by security experts to take immediate action. If you suspect a system is compromised, the recommended steps are:
The United States has included CVE-2025-6543 in the catalog of known exploited vulnerabilities (KEV) through the Cybersecurity and Infrastructure Security Agency (CISA), highlighting the urgent need for organizations to update with patches and monitor for possible traces of malicious activity.
The Dutch National Center for Information Security (NCSC) played a key role in uncovering the true nature of the attacks. Its investigation confirmed that the vulnerability was exploited as a zero-day vulnerability and that the attackers actively covered their tracks, making forensic analysis difficult. The report, published in August 2025, stated that “several critical organizations in the Netherlands were successfully attacked” and that the vulnerability had been exploited since at least the beginning of May.
Citrix completed the release of a patch for CVE-2025-6543 in June 2025. However, attackers had already been exploiting the vulnerability for several weeks. The vulnerability was exploited to compromise NetScaler remote access systems, deploy webshells capable of ensuring persistent access even after patches were applied, and steal credentials.
The same sophisticated threat actor is believed to be behind the exploitation of another zero-day vulnerability, CVE-2025-5777, also known as CitrixBleed 2, used to steal user sessions. Specific investigations are underway to determine whether this actor is also responsible for the exploitation of a more recent vulnerability, CVE-2025-7775.
Redazione