Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May
13 days ago
- #Zero-Day
- #Citrix
- #Cybersecurity
- Citrix failed to disclose that CVE-2025–6543 was a zero-day vulnerability exploited since May 2025, allowing remote code execution and widespread compromise of Netscaler systems.
- The vulnerability was used to deploy webshells and maintain network access even after patching, affecting government and legal services globally.
- Citrix provided an incomplete script for checking compromises under unusual conditions without explaining the issue.
- The same threat actor exploited CVE-2025–5777 (CitrixBleed 2) to steal user sessions, and possibly CVE-2025–7775.
- NCSC Netherlands reported that attackers erased traces, complicating forensic investigations.
- Exploitation involves sending numerous requests to /cgi/api/login with a client certificate to overwrite memory and execute code.
- Recommendations include checking logs for /cgi/api/login requests, running provided scripts, and taking immediate action if exploitation is suspected.
- IP and webshell indicators of compromise (IoCs) are provided, though webshell names vary by victim.
- Netscaler customers are abandoning the product due to frequent zero-day exploits and lack of transparency from Citrix/Cloud Software Group.
- Criticism of Citrix's handling includes lack of Secure By Design principles and failure to address long-standing security issues.