The NCSC has released an important update on sophisticated cyberattacks in which Dutch organizations have been successfully compromised via vulnerabilities in Citrix NetScaler. The attacks use a zero-day exploit and active trace removal, which makes forensic investigation difficult.
Malicious webshells have been found on Citrix devices at multiple critical organizations in the Netherlands. A webshell gives attackers remote access to the system, even after the original vulnerability has been patched. The National Cyber Security Center warns that this digital attack is the work of advanced actors.
Citrix NetScaler acts as a gateway for remote working and provides application delivery within organizations. This central position allows attackers to gain access to corporate environments and intranets after compromise.
Zero-day exploitation since May
Forensic investigation shows that the zero-day vulnerability with CVE-2025-6543 was exploited as early as the beginning of May, while Citrix did not publicly share information and offer a patch until June 25. This timeline illustrates how attackers took advantage of the opportunity before defensive measures became available.
Since July 16, the NCSC has been conducting an ongoing cyber investigation into the exploitation of critical vulnerabilities in Citrix NetScaler. The investigation confirms that several critical organizations within the Netherlands have been successfully attacked.
In addition to the zero-day exploitation, attackers actively deleted traces to hide the compromise. This approach makes forensic investigation challenging and means that not all questions about this digital attack may be answered.
Patching alone is insufficient
The NCSC emphasizes that updating systems is not enough to eliminate the risk. Malicious actors can retain previously gained access, even after security updates have been installed. This means that the risk of continued abuse remains.
Organizations should therefore increase their resilience by implementing defense-in-depth control measures. This approach helps protect against specific attacks and similar attacks via new vulnerabilities.
If Indicators of Compromise (IOCs) of this attack are found, further investigation is needed to determine actual compromise. The NCSC advises organizations to contact cert@ncsc.nl for support.
The investigation is ongoing, and the NCSC is working with affected organizations and partners in the security chain to find new indicators. Active information sharing improves the investigation and strengthens findings.