Hackers have breached critical infrastructure organizations in the Netherlands using a vulnerability in Citrix’s NetScaler products, highlighting the serious risks facing the thousands of systems still running vulnerable NetScaler instances.
“Several critical organizations in the Netherlands have been successfully attacked” using the memory-overflow vulnerability in NetScaler ADC and NetScaler Gateway, the Dutch National Cyber Security Centre said on Monday. The flaw is tracked as CVE-2025-6543 and rated as critical.
The unknown intruders first breached their targets’ networks in early May, more than a month before Citrix’s June 25 disclosure of the flaw, the NCSC said. They used “sophisticated methods” and erased evidence of their activities “to conceal the compromise at the affected organizations,” the agency added. “The investigation is ongoing, but it can now be concluded that perhaps not all questions about this digital attack can be answered.”
Citrix in June also disclosed a similar NetScaler flaw, an insufficient-input-validation vulnerability tracked as CVE-2025-5777 and also rated critical.
There are more than 3,300 internet-connected NetScaler instances vulnerable to CVE-2025-5777 worldwide and more than 4,100 instances vulnerable to CVE-2025-6543, according to data from the Shadowserver Foundation. “We see exploitation attempts for both vulnerabilities in our sensors,” the group said in a social media post.
The intrusions in the Netherlands raise questions about how widespread the NetScaler attacks may be, including whether hackers have used the Citrix flaws to breach any U.S. critical infrastructure providers. There are more than 1,300 NetScaler instances in the U.S. that are vulnerable to at least one of the flaws, according to Shadowserver Foundation data.
Researchers at Reliaquest previously warned of exploitation in late June, days after Citrix disclosed the second flaw.
The Cybersecurity and Infrastructure Security Agency (CISA), which has added both flaws to its Known Exploited Vulnerabilities catalog, is working with Citrix and other partners “to assess prevalence and reported incidents,” according to Chris Butera, the agency’s acting executive assistant director for cybersecurity.
“Given the widespread use of Citrix NetScaler ADC and Gateway systems,” Butera said in a statement, “CISA continues to urge all organizations to reduce their exposure to possible cyberattacks by immediately patching this vulnerability, if they haven’t done so already.”
Experts have been worried that the NetScaler flaws could power a wave of attacks akin to the ones that followed the 2023 disclosure of a flaw dubbed “CitrixBleed.” Citrix has struggled with zero-day vulnerabilities over the past few years; the company disclosed two such flaws in January 2024.
Editor’s note: This story has been updated with a comment from CISA.
Correction: A previous version of this story’s headline misstated the name of the company that sells NetScaler. It is Citrix.
