Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May 2025

Back in late June, Citrix posted a patch for CVE-2025–6543, which they described as “Memory overflow vulnerability leading to unintended control flow and Denial of Service”. Denial of service? Piff the magic dragon, who cares.No technical details were ever published about the vulnerability. That changes today.What they forgot to tell you: it allows remote code execution, it was used to widespread compromise Netscaler remote access systems and maintain network access even after patching, webshells have been deployed, and Citrix knew this and just didn’t mention it.It has compromised government and legal services worldwide. Citrix provided customers on request, under weird conditions, a script to check for compromise.. but didn’t explain what was happening, and the script was incomplete.The exact same threat actor was also exploiting CVE-2025–5777 aka CitrixBleed 2 to steal user sessions. This was also being exploited as a zero day. I am investigating if it’s also the same threat actor exploiting CVE-2025–7775, the latest Netscaler vulnerability — more on that soon.NCSC Netherlands have a rather cool report out about CVE-2025–6543, where they’ve essentially done Citrix’s job for them:Casus: Citrix kwetsbaarheid (Update 13-08-2025)There’s lots of detail in there, but to pull a few things out of their report:“The NCSC notes that several critical organizations within the Netherlands have been successfully attacked.Zero-day vulnerabilityFurther research shows that vulnerability has occurred since at least early may was abused by the attacker. Op 25 june citrix published information about vulnerability CVE-2025–6543 and offered a patch to fix it. To this end, we are talking about a zero-day attack, as the vulnerability was abused before it was made public.Forensics at affected organizations show that traces have been actively erased by the attacker. This makes forensic investigation challenging.”I recommend reading their report. It’s really good. NCSC Netherlands are gods amongst cyber.So what’s going on really?CVE-2025–6543 is a vulnerability which allows an attacker to supply a client certificate, which overwrites memory. This then allows code execution on the box.How? Calls are made to the Netscaler box to the endpoint /cgi/api/login, with a client supplied certificate. By sending hundreds of requests, you can overwrite chunks of memory in the hope of executing code.This was happening long before the patch was released, and then devices were backdoored with webshells and other goodies which persist post patching. It is still unclear the extend of the activity — NCSC NL and others are investigating. It is clear the attackers covered their tracks, too.HuntingI would recommend, if logs exist, checking for web access requests to /cgi/api/login on your Netscaler devices. These will be large POST requests. It is extremely unlikely these are legit requests.If you see a series of requests in quick succession, investigate. You will also lines in your Netscaler logs indicating error code 1245184 at the same time — this error code means a client supplied certificate is invalid.I would highly recommend every Citrix Netscaler customer with internet facing devices runs this script on their Netscaler devices:citrix-2025/live-host-bash-check/TLPCLEAR_check_script_cve-2025-6543-v1.8.sh at main · NCSC-NL/citrix-2025If you find a coredump from that script which aligns to the same time as /cgi/bin/login requests, you have seen an exploitation attempts for CVE-2025–6543.You can additionally run this script on your coredump files:citrix-2025/core-dump-checks at main · NCSC-NL/citrix-2025You can also run strings on the coredump, and then compare the strings in the .YARA file in the repo above to quickly check.It is also likely you’ll see prior exploit attempts for CitrixBleed2, see earlier blogs for that.If you believe your box was exploited, I recommend:Turn the Netscaler box off.Look to image the box and then run forensics, e.g. Citrix tools or https://github.com/NCSC-NL/citrix-2025/tree/main/disk-image-checksChange the LDAP service account credentials, as the threat actor has been misusing them to move laterally to Active Directory.Deploy a new one in its place with new LDAP service account credentials.IP IoCs (not exhaustive)91.107.190.23688.119.169.15038.60.245.99101.99.91.10784.55.67.133194.36.37.5VirusTotal collection: https://www.virustotal.com/gui/collection/ea8804dc4417e62d7f0f254e2d443da00d3b3bf12d7bbe5978fc011b98be2d32/iocsVirusTotal Graph:https://www.virustotal.com/graph/embed/g20a3629128d94c298d621e24a622915af616ca89fa6c43c7938f8148572d21f7?theme=darkWebshell IoCsPHP File names:https://github.com/GossiTheDog/scanning/blob/main/Netscaler-WebshellsNote these vary by victim, they’re manually placed, so that list won’t be exhaustive at all..xhtml files also exist.A final noteNetscaler customers have a problem: the product is on fire. And not in a good way. Serious threat actors are running rings around the product on a regular basis, zero days being exploited regularly, and Citrix/Cloud Software Group simply aren’t being transparent about what is happening with customers so they cannot make real assessments of compromise. Applying patches after already being exploited is not working.Currently, customers appear to be opting to leave at scale — if you look at Shodan, internet facing Netscaler devices have also halved since late 2023:https://medium.com/media/b8839a96a097181749437778a93281f9/hrefI’m not surprised. Cloud Software Group are busy touting Quantum features in Netscaler, when their customers houses are being set on fire.The customers are being left to try to gain information about what is happening from regional government cyber people and blogs. Government cyber people — also customers — are working to fill in the blanks.If you read some analysis of the product, you’ll see obvious and long standing problems, e.g.:https://medium.com/media/098f80094e5c5fd43351d161961d307d/hrefCloud Software Group are touting links to CISA and Secure By Design, but in reality they need to radically rethink how to secure Netscaler and gain customer confidence — or customers need to change solution, fast. This situation is not okay, there is no marketing a way out of a wildfire.Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May 2025 was originally published in DoublePulsar on Medium, where people are continuing the conversation by highlighting and responding to this story.