Citrix Forgot to Tell You CVE-2025–6543 Has Been Used as a Zero Day Since May 2025
Source report →The disclosure around CVE-2025-6543 reveals that Citrix NetScaler appliances were exploited as a zero-day from at least May 2025, months before Citrix publicly acknowledged the flaw. Initially downplayed as a denial-of-service issue, the bug actually allowed remote code execution via crafted client certificates sent to the /cgi/api/login endpoint. Threat actors leveraged this to implant persistent web shells, steal credentials, and maintain access even after patching. Government and legal organizations worldwide were confirmed victims, with forensic evidence showing attackers deliberately erased traces to complicate investigations.
The same threat actor also leveraged CVE-2025-5777, known as CitrixBleed 2, to hijack user sessions, with evidence showing it too was exploited as a zero-day.
IOCs (6)
Scan your environment for IOCs →IP ADDRESS 6
91.107.190.23688.119.169.15038.60.245.99101.99.91.10784.55.67.133194.36.37.5Detections (5)
Enable detections →Connect your environment for suggestions and queries personalized to your security telemetry.
- Suspicious NetScaler Login from Tor Exit Node
- Active Directory Recon Utilities Detected
- Remote Access Connections from NetScaler Appliances To Windows Hosts
- Detect post-exploitation child processes spawned by web/app servers
- Alert on domain account use from unexpected hosts or geolocations
