On August 12, 2025, the Dutch National Cyber Security Centre (NCSC-NL) confirmed the active exploitation of a critical vulnerability in Citrix NetScaler ADC devices (CVE-2025-6543, CVSS score 9.2), which has affected several critical organizations across the Netherlands The Hacker NewsBleepingComputerTechzine Global. The flaw, a memory overflow, enables unintended control flow or causes a denial-of-service when devices are configured as Gateway or AAA virtual servers The Hacker NewsBleepingComputer. Exploited as a zero-day since early May 2025, nearly two months before patches were issued in late June, the attackers also took steps to erase forensic evidence of their intrusion BleepingComputerTechzine GlobalThe Hacker News.

The investigation, initiated on July 16, 2025, uncovered malicious web shells on the compromised Citrix devices, giving attackers persistent remote access The Hacker NewsTechzine Global. Among the confirmed victims was the Dutch Public Prosecution Service, whose operations were severely disrupted until early August BleepingComputerSecurity Affairs.

NCSC-NL strongly advises organizations to apply the necessary updates and afterwards terminate all active sessions using the following commands:

kill icaconnection -all
kill pcoipConnection -all
kill aaa session -all
kill rdp connection -all
clear lb persistentSessions

A script to detect potential indicators of compromise has also been published by NCSC-NL The Hacker NewsBleepingComputerTechzine Global. Watch for suspicious signs such as newly created .php files, newly created accounts with elevated privileges, or duplicate filenames with different extensions The Hacker NewsTechzine Global.