Netscaler vulnerability was exploited as zero-day for nearly two months (CVE-2025-6543)

FortiGuard Labs has reported a dramatic spike in exploitation attempts targeting Citrix Bleed 2, a critical buffer over‑read flaw (CVE‑2025‑5777) affecting Citrix NetScaler ADC (Application Delivery Controller) and Gateway devices.

Since July 28, 2025, they have detected over 6,000 exploitation attempts, mostly in the US, Australia, Germany and the UK, “with adversaries primarily focusing on high-value sectors such as technology, banking, healthcare, and education.”

Meanwhile, the Dutch National Cyber Security Centre (NCSC‑NL) has confirmed that another NetScaler ADC vulnerability (CVE‑2025‑6543) – patched and disclosed by Citrix in late June 2025 – has been exploited as a zero-day vulnerability since early May 2025 in sophisticated, targeted attacks against critical Dutch organizations.

Active CVE‑2025‑6543 and CVE‑2025‑5777 exploitation

When Citrix released patches for CVE‑2025‑6543 on June 25, it immediately confirmed that “exploits of CVE-2025-6543 on unmitigated appliances have been observed,” but did not explain what the attackers have been using it for.

The description of the flaw says its a memory overflow vulnerability that can lead to “unintended control flow and Denial of Service” in NetScaler ADC and NetScaler Gateway when configured as Gateway or AAA virtual server.

NCSC‑NL’s latest update on the attacks says that they were sophisticated and that the attackers worked on erasing traces to conceal the compromise and make forensic investigation challenging.

“Citrix has released updates to address the vulnerability. Updating systems is not sufficient to eliminate the risk of exploitation,” the NCSC-NL pointed out. Resetting established sessions is also required.

“The NCSC is actively investigating vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway, Several investigations are currently underway into the scope, nature, and impact of the attacks. Together with affected organizations, incident response organizations, and security partners, we are continuing to uncover new indicators, which we use to help other organizations in the Netherlands conduct their own investigations,” the NCSC‑NL said.

The organizations is working on updating a script that organizations can use to check their systems for the presence of indicators of compromise, and has advised organizations that discover them to contact their national cyber security incident response entity (CSIRT) for further assistance with the investigation and the clean-up.

NCSC-NL did not identify any of the affected entities, but we know about one: the country’s Public Prosecution Service confirmed it had been recently breached through Citrix systems, though they did not specify whether CVE‑2025‑5777 or CVE‑2025‑6543 had been used.

The Shadowserver Foundation says that the are seeing exploitation attempts related to both vulnerabilities in their sensors, and that there are still several thousand unpatched Citrix NetScaler devices likely vulnerable to CVE-2025-5777 and CVE-2025-6543 out there.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!