{"uuid": "4a43bf52-0c47-4127-b278-29316a7c4c3d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "title": "Citrix forgot to tell you CVE-2025\u20136543 has been used as a zero day since May 2025", "description": "Ref: [https://doublepulsar.com/citrix-forgot-to-tell-you-cve-2025-6543-has-been-used-as-a-zero-day-since-may-2025-d76574e2dd2c](https://doublepulsar.com/citrix-forgot-to-tell-you-cve-2025-6543-has-been-used-as-a-zero-day-since-may-2025-d76574e2dd2c) \n\nBack in late June, Citrix posted a patch for CVE-2025\u20136543, which they described as \u201cMemory overflow vulnerability leading to unintended control flow and Denial of Service\u201d. Denial of service? Piff the magic dragon, who cares.\n\nNo technical details were ever published about the vulnerability. That changes today.\n\nWhat they forgot to tell you: it allows remote code execution, it was used to widespread compromise Netscaler remote access systems and maintain network access even after patching, webshells have been deployed, and Citrix knew this and just didn\u2019t mention it.\n\nIt has compromised government and legal services worldwide. Citrix provided customers on request, under weird conditions, a script to check for compromise.. but didn\u2019t explain what was happening, and the script was incomplete.\n\nThe exact same threat actor was also exploiting CVE-2025\u20135777 aka CitrixBleed 2 to steal user sessions. This was also being exploited as a zero day. I am investigating if it\u2019s also the same threat actor exploiting CVE-2025\u20137775, the latest Netscaler vulnerability \u2014 more on that soon.\n\nNCSC Netherlands have a rather cool report out about CVE-2025\u20136543, where they\u2019ve essentially done Citrix\u2019s job for them:\n\n[## Casus: Citrix kwetsbaarheid (Update 13-08-2025)\n\n### Via deze pagina biedt het NCSC een update op de eerdere berichtgeving. We bieden hierin de publicatie van twee nieuwe\u2026\n\nwww.ncsc.nl](https://www.ncsc.nl/actueel/nieuws/2025/07/22/casus-citrix-kwetsbaarheid?source=post_page-----d76574e2dd2c---------------------------------------)\n\nThere\u2019s lots of detail in there, but to pull a few things out of their report:\n\n> \u201cThe NCSC notes that several critical organizations within the Netherlands have been successfully attacked.\n>\n> **Zero-day vulnerability**\n>\n> Further research shows that vulnerability has occurred since at least **early may** was abused by the attacker. Op **25 june** citrix published information about vulnerability CVE-2025\u20136543 and offered a patch to fix it. To this end, we are talking about a zero-day attack, as the vulnerability was abused before it was made public.\n>\n> Forensics at affected organizations show that traces have been actively erased by the attacker. This makes forensic investigation challenging.\u201d\n\nI recommend reading their report. It\u2019s really good. NCSC Netherlands are gods amongst cyber.\n\n## So what\u2019s going on really?\n\nCVE-2025\u20136543 is a vulnerability which allows an attacker to supply a client certificate, which overwrites memory. This then allows code execution on the box.\n\nHow? Calls are made to the Netscaler box to the endpoint /cgi/api/login, with a client supplied certificate. By sending hundreds of requests, you can overwrite chunks of memory in the hope of executing code.\n\nThis was happening long before the patch was released, and then devices were backdoored with webshells and other goodies which persist post patching. It is still unclear the extend of the activity \u2014 NCSC NL and others are investigating. It is clear the attackers covered their tracks, too.\n\n## Hunting\n\nI would recommend, if logs exist, checking for web access requests to /cgi/api/login on your Netscaler devices. These will be large POST requests. It is extremely unlikely these are legit requests.\n\nIf you see a series of requests in quick succession, investigate. You will also lines in your Netscaler logs indicating error code 1245184 at the same time \u2014 this error code means a client supplied certificate is invalid.", "description_format": "markdown", "vulnerability": "CVE-2025-6543", "creation_timestamp": "2025-08-29T06:34:25.960600+00:00", "timestamp": "2025-08-29T06:34:25.960600+00:00", "related_vulnerabilities": ["CVE-2025-6543"], "meta": [{"tags": ["vulnerability:origin=software"]}], "author": {"login": "sync_user", "name": "sync_user", "uuid": "4f29edb9-4c4b-44ca-b041-9b050656b6ae"}}