Citrix

The Dutch National Cyber Security Centre (NCSC-NL) has issued an urgent warning about sophisticated cyberattacks targeting critical infrastructure through a zero-day vulnerability in Citrix NetScaler devices. The vulnerability, designated CVE-2025-6543, has been actively exploited since early May 2025, compromising several critical organizations across the Netherlands. Attackers gained access to perimeter defenses, demonstrating advanced capabilities by erasing forensic traces and deploying malicious web shells for persistent remote access. The exploitation involved placing suspicious PHP files in system directories, making detection and remediation challenging. The NCSC emphasizes that patching alone is insufficient, as compromised systems may retain attacker access, requiring comprehensive forensic investigation.

Source: https://cybersecuritynews.com/ncsc-warns-of-citrix-netscaler-vulnerability/

TPRM report: https://www.rankiteo.com/company/citrix

"id": "cit211081225",
"linkid": "citrix",
"type": "Cyber Attack",
"date": "8/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"

{'affected_entities': [{'location': 'Netherlands',
                        'type': 'Critical infrastructure organizations'}],
 'attack_vector': 'Vulnerability in Citrix NetScaler devices',
 'date_detected': '2025-07-16',
 'date_publicly_disclosed': '2025-07-16',
 'description': 'The Dutch National Cyber Security Centre (NCSC-NL) has issued '
                'an urgent warning about sophisticated cyberattacks targeting '
                'critical infrastructure through a zero-day vulnerability in '
                'Citrix NetScaler devices. The vulnerability, designated '
                'CVE-2025-6543, has been actively exploited since early May '
                '2025, successfully compromising several critical '
                'organizations across the Netherlands.',
 'impact': {'operational_impact': 'Significant security breach, access to '
                                  'perimeter defenses',
            'systems_affected': 'Citrix NetScaler ADC and Gateway systems'},
 'initial_access_broker': {'backdoors_established': 'Malicious web shells',
                           'entry_point': 'Citrix NetScaler devices',
                           'reconnaissance_period': 'Since early May 2025'},
 'investigation_status': 'Ongoing',
 'post_incident_analysis': {'corrective_actions': 'Patching, terminating '
                                                  'persistent sessions, '
                                                  'forensic investigation',
                            'root_causes': 'Zero-day vulnerability in Citrix '
                                           'NetScaler devices'},
 'recommendations': 'Patching alone is insufficient; comprehensive forensic '
                    'investigation and remediation efforts are required.',
 'references': [{'source': 'NCSC-NL'}],
 'response': {'containment_measures': 'Patching, terminating persistent '
                                      'sessions',
              'incident_response_plan_activated': True,
              'remediation_measures': 'Comprehensive forensic investigation'},
 'title': 'Sophisticated Cyberattacks Targeting Critical Infrastructure via '
          'Citrix NetScaler Zero-Day Vulnerability',
 'type': 'Zero-day exploitation',
 'vulnerability_exploited': 'CVE-2025-6543'}

Citrix

Victoria's Secret

Muséum national d'histoire naturelle de Paris

Connex Credit Union