Critical infrastructure suffers from a zero-day vulnerability, as one provider experiences an attack
In a concerning turn of events, a significant number of Citrix NetScaler Application Delivery Controller (ADC) and Gateway appliances remain unpatched and exposed to zero-day vulnerabilities, particularly CVE-2025-6543 and CVE-2025-5777 (CitrixBleed 2).
The vulnerabilities, first identified in 2022, have been exploited since May 2025, despite patches being available since late June. Over 6,000 exploitation attempts have been detected since late July, primarily targeting high-value sectors such as technology, banking, healthcare, and education. The US, Australia, Germany, and the UK have seen a high number of attacks.
The Dutch National Cyber Security Centre (NCSC) has confirmed ongoing exploitation of CVE-2025-6543 in the Netherlands, despite the patch being available for nearly two months. The persistence of successful attacks indicates many appliances remain unpatched or insufficiently mitigated.
NetScaler ADC and Gateway versions 12.1 and 13.0, which are end-of-life, continue to be vulnerable, and many customer-managed appliances have not yet applied the fixes. While cloud-managed services are updated, on-premises customer-managed devices are primarily the concern.
The hackers, whose activities are consistent with prior China-nexus activities, according to Mandiant, have compromised a critical infrastructure provider's network environment by exploiting these vulnerabilities. They stole data from the provider's Active Directory in June. Despite the appliances having the latest patches installed at the time of the hack, Mandiant researchers are investigating cases where fully patched appliances were compromised.
The hackers attempted to move to the organization's domain controller, but were blocked due to network segmentation controls. About 61,000 affected ADC appliances are exposed to the internet.
In response to the ongoing threat, Citrix released security updates on Tuesday. The company has also rebranded Citrix ADC and Citrix Gateway to NetScaler ADC and NetScaler Gateway. At the time of the blog's release, there was no public proof of concept available.
ADCs are a key component of enterprise and cloud data centers, ensuring continuous improvement, application availability, and security. It is crucial for organisations to prioritise the application of security updates to minimise the risk of ongoing compromise. Security advisories recommend upgrading to the latest fixed versions and terminating all persistent sessions.
Cybersecurity experts are urging organizations to prioritize patching vulnerable Citrix NetScaler ADC and Gateway appliances, as the ongoing exploitation of CVE-2025-6543 and CVE-2025-5777 underscores a significant risk in finance and technology sectors. The persistence of successful attacks on high-value sectors such as banking, healthcare, and education suggests that many appliances remain unpatched or insufficiently mitigated.
Despite cloud-managed services being updated, it's the on-premises customer-managed devices that continue to be the primary concern, with about 61,000 affected ADC appliances exposed to the internet. In light of the ongoing threat, it's crucial for organizations to secure their cybersecurity infrastructure by upgrading to the latest fixed versions, terminating all persistent sessions, and applying security updates in a timely manner to minimize the risk of ongoing compromise.
