Citrix NetScaler ADC/Gateway active zero-day flaw (CVE-2025-6543)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-6543 is a critical Citrix NetScaler ADC/Gateway flaw that was actively exploited as a zero-day before public disclosure, creating breach risk for critical organizations in the Netherlands. Investigators found malicious web shells on affected devices and evidence that attackers tried to erase traces of the compromise. The issue matters because exposed appliances can be used to gain remote access and persistence. Citrix has shipped fixes, and defenders are being told to patch immediately and terminate active sessions.
Related Happenings
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation Wave
First: 20.02.2026 23:07
Last: 20.02.2026 23:07
Sources 1
About this happening:
**CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation WaveAbout this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
Digiever DS-2105 Pro active exploitation wave (CVE-2023-52163)
Exploitation Wave
First: 25.12.2025 10:07
Last: 25.12.2025 10:07
Sources 1
About this happening:
**CVE-2023-52163** is being exploited at scale against **Digiever DS-2105 Pro NVRs**, with multiple reports linking abuse to **Mirai** and **ShadowV2** botnet delivery. The flaw i...
Digiever DS-2105 Pro active exploitation wave (CVE-2023-52163)
Exploitation WaveAbout this happening: **CVE-2023-52163** is being exploited at scale against **Digiever DS-2105 Pro NVRs**, with multiple reports linking abuse to **Mirai** and **ShadowV2** botnet delivery. The flaw i...
Cloudflare WAF protections for React2Shell (CVE-2025-55182)
Advisory/Mitigation
First: 05.12.2025 17:12
Last: 05.12.2025 17:12
Sources 1
About this happening:
Cloudflare rolled out **WAF protections** for **CVE-2025-55182 / React2Shell**, a mitigation aimed at reducing **unauthenticated RCE** risk across **React** deployments. The actio...
Cloudflare WAF protections for React2Shell (CVE-2025-55182)
Advisory/MitigationAbout this happening: Cloudflare rolled out **WAF protections** for **CVE-2025-55182 / React2Shell**, a mitigation aimed at reducing **unauthenticated RCE** risk across **React** deployments. The actio...
NetScaler ADC and Gateway / Cisco ISE exploited zero-day flaws (multiple vulnerabilities)
Vulnerability
First: 12.11.2025 16:00
Last: 12.11.2025 16:00
Sources 1
About this happening:
**CVE-2025-5777** and **CVE-2025-20337** were exploited as **zero-days** against **NetScaler ADC and Gateway** and **Cisco ISE**, creating pre-disclosure compromise risk before fi...
NetScaler ADC and Gateway / Cisco ISE exploited zero-day flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **CVE-2025-5777** and **CVE-2025-20337** were exploited as **zero-days** against **NetScaler ADC and Gateway** and **Cisco ISE**, creating pre-disclosure compromise risk before fi...
Cisco ISE and Citrix NetScaler ADC zero-day malware delivery campaign
Campaign
First: 12.11.2025 16:00
Last: 12.11.2025 16:00
Sources 1
About this happening:
A **zero-day exploitation campaign** against **Cisco ISE** and **Citrix NetScaler ADC** is delivering **custom malware** into enterprise identity and network access control infras...
Cisco ISE and Citrix NetScaler ADC zero-day malware delivery campaign
CampaignAbout this happening: A **zero-day exploitation campaign** against **Cisco ISE** and **Citrix NetScaler ADC** is delivering **custom malware** into enterprise identity and network access control infras...
Timeline
-
12.08.2025 11:36 1 articles · 9mo ago
Citrix NetScaler ADC/Gateway active zero-day flaw (CVE-2025-6543)
Initial DisclosureBy **late June 2025**, **Citrix** had disclosed **CVE-2025-6543**, and later investigation showed the flaw was being abused as a **zero-day** from **early May 2025**. The first confirmed exploitation findings on **July 16, 2025** tied the vulnerability to compromise activity on **NetScaler ADC/Gateway** devices.
Show sources
- Dutch NCSC Confirms Active Exploitation of Citrix NetScaler CVE-2025-6543 in Critical Sectors — thehackernews.com — 12.08.2025 11:36