Citrix Forgot to Tell You CVE-2025–6543 Has Been Used as a Zero Day Since May 2025
Source report →The disclosure around CVE-2025-6543 reveals that Citrix NetScaler appliances were exploited as a zero-day from at least May 2025, months before Citrix publicly acknowledged the flaw. Initially downplayed as a denial-of-service issue, the bug actually allowed remote code execution via crafted client certificates sent to the /cgi/api/login endpoint. Threat actors leveraged this to implant persistent web shells, steal credentials, and maintain access even after patching. Government and legal organizations worldwide were confirmed victims, with forensic evidence showing attackers deliberately erased traces to complicate investigations.
The same threat actor also leveraged CVE-2025-5777, known as CitrixBleed 2, to hijack user sessions, with evidence showing it too was exploited as a zero-day.
IOCs (6)
Scan your environment for IOCs →IP ADDRESS 6
91.107.190.23688.119.169.15038.60.245.99101.99.91.10784.55.67.133194.36.37.5Detections
Enable detections →- Suspicious NetScaler Login from Tor Exit Node
- Active Directory Recon Utilities Detected
- Remote Access Connections from NetScaler Appliances To Windows Hosts
- Alert on domain account usage from unexpected hosts or concurrent sessions in different geolocations
- Monitor public-facing services for exploitation patterns — unusual POST bodies, deserialization payloads