The Hackers Were Already Inside the Office: Why Citrix Users Need to Act Now

By Max van der Linden, Senior Security Specialist

Imagine your office building. The front door has a electronic lock and a security guard at the desk. All employees swipe their badges, visitors check in, and everything feels safe.

But months ago, someone discovered a vulnerability in that front door lock. Allowing them to freely walk in and out of the building. While they were inside they had the chance to build secret tunnels that lead into the basement, opened a side window in the security office, and maybe even planted microphones in the meeting rooms.

This is what is happening right now with Citrix NetScaler devices.

The Break-In

Your NetScaler is that secure front door for employees that log-in remotely. It is supposed to be the only safe way into the building from the outside.

The vulnerability CVE-2025-6543 is like an issue with the lock that let attackers walk in without swiping a badge.

This makes it possible to:

• Install web shells, which is like building a secret tunnel in case the lock gets fixed but the attacker still wants to get inside.
• Delete the visitor logs so security will not know they have been there.

Additionally there are more problems that were recently fixed:

• CVE-2025-5777 is like having a hidden filing cabinet in the lobby that leaks private meeting notes, and master keys to anyone who knows where to look.
• CVE-2025-5349 is like leaving the control room door unlocked so anyone could sneak in and mess with the building systems.

Here is the Catch

Citrix has now replaced the faulty lock, removed the filing cabinet, and locked the control room door again, but an attacker could have been inside months before that.

Even if you changed the lock on day one of the fix, the tunnels, hidden entrances, and unlocked windows might still be there.

What needs to be done

1. Replace the Front Lock

Install Citrix’s latest security updates. If your front door still has the old lock, intruders can still walk in.

2. Clear the Building

Force everyone to leave the building and make them show their entry-badge if they want to get back in. In NetScaler, that means running:

kill icaconnection -all
kill pcoipConnection -all
kill aaa session -all
kill rdp connection -all
clear lb persistentSessions

3. Sweep for Tunnels and Hidden Entrances

• Use the Dutch NCSC’s scanning tools to find planted files and backdoors: https://github.com/NCSC-NL/citrix-2025
• Check every "floor" (system directory) for things that should not be there
• Look for new "master keys" (admin accounts) you did not issue

4. Change All the Keys and Alarm Codes

• Reset all admin passwords
• Re-issue VPN tokens and certificates

5. Secure the Control Room

• Keep the NetScaler management panel off the open internet
• Only allow access from a small list of trusted origins (IP addresses)

6. Watch the Cameras

• Turn on full logging
• Watch for unusual badge swipes (logins), odd hours, or changes to building systems

If you do run into unusual behaviour, discover a hidden tunnel, or need assistance. Reach out to our sales representatives at cybersecurity@bureauveritas.com

The Real Lesson

This is not just about changing the front door lock. It is about finding and closing every secret entrance the intruder left behind. If you only swap the lock and walk away, you could still have someone in the basement, plugged into your wiring, waiting for the right time to strike.

SOURCES:

https://thehackernews.com/2025/08/dutch-ncsc-confirms-active-exploitation.html
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420&artic%5B%E2%80%A6%5Dteway_Security_Bulletin_for_CVE_2025_5349_and_CVE_2025_5777=