Critical Citrix 0-Day Vulnerability Exploited Since May, Leaving Global Entities Exposed
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A critical zero-day vulnerability in Citrix NetScaler products, identified as CVE-2025-6543<\/a>, has been actively exploited by threat actors since at least May 2025, months before a patch was made available.<\/p>\n While Citrix initially downplayed the flaw as a \u201cmemory overflow vulnerability leading to unintended control flow and Denial of Service,\u201d it has since been revealed to allow for unauthenticated remote code execution (RCE), leading to widespread compromise of government and legal services worldwide.<\/p>\n In late June 2025, Citrix released a patch for CVE-2025-6543<\/a>. However, by that time, attackers had already been leveraging the vulnerability for weeks. <\/p>\n The exploit was used to infiltrate NetScaler remote access systems, deploy webshells to ensure persistent access even after patching, and steal credentials. <\/p>\n Evidence suggests that Citrix was aware of the severity and the ongoing exploitation but failed to disclose the full extent of the threat to its customers, Kevin Beaumont said<\/a>.<\/p>\n The company provided a script to check for compromise only upon request and under restrictive conditions, without fully explaining the situation or the script\u2019s limitations.<\/p>\n The Dutch National Cyber Security Centre (NCSC) has played a pivotal role in exposing the true nature of the attacks. Their investigation confirmed that the vulnerability was exploited as a zero-day and that attackers actively covered their tracks, making forensic analysis<\/a> challenging.<\/p>\n The NCSC\u2019s report, released in August 2025, stated that \u201cseveral critical organizations within the Netherlands have been successfully attacked\u201d and that the vulnerability was abused since at least early May.<\/p>\n The same sophisticated threat actor is also believed to be behind the exploitation of another zero-day, CVE-2025\u20135777, also known as CitrixBleed 2<\/a>, which was used to steal user sessions.<\/p>\n Investigations are ongoing to determine if this actor is also responsible for exploiting a more recent vulnerability, CVE-2025-7775.<\/p>\n The CVE-2025\u20136543 vulnerability allows an attacker to overwrite system memory by supplying a malicious client certificate to the By sending hundreds of these requests, an attacker can overwrite enough memory to execute arbitrary code on the system. This method gives them a foothold in the network, which they have used to move laterally into Active Directory<\/a> environments by misusing stolen LDAP service account credentials.<\/p>\n Security professionals urge all organizations using internet-facing Citrix NetScaler devices to take immediate action.<\/p>\n System administrators should check for signs of compromise, which include looking for large POST requests to A corresponding NetScaler log error code of 1245184, indicating an invalid client certificate, is a strong indicator of an exploitation attempt.<\/p>\n The NCSC has released scripts on GitHub to help organizations check for compromise on live hosts and in coredump files.<\/p>\n If a system is believed to be compromised, the recommended steps are:<\/p>\n The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-6543 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for organizations to apply patches and hunt for signs of malicious activity.<\/p>\n Find this Story Interesting! Follow us on Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>.<\/p>\n The post Critical Citrix 0-Day Vulnerability Exploited Since May, Leaving Global Entities Exposed<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nHow the Exploit Works<\/strong><\/h2>\n
\/cgi\/api\/login<\/code> endpoint on a vulnerable NetScaler device. <\/p>\n\/cgi\/api\/login<\/code> in web access logs, often in quick succession.<\/p>\n\n