The Netherlands’ National Cyber Security Centre said a previously unknown flaw in Citrix NetScaler remote-access appliances was used to break into several critical organisations for at least three months before public disclosure. Investigators found attackers implanted covert web shells and wiped logs to conceal their presence, disrupting services at bodies including the Dutch Public Prosecution Service until early August. The vulnerability, tracked as CVE-2025-6543 and carrying a CVSS severity score of 9.2, is a memory-overflow defect that allows remote code execution on NetScaler ADC and NetScaler Gateway devices configured as VPN or proxy servers. According to the NCSC, the campaign began in early May and was still active when the agency started its investigation. Citrix on 12 August issued patches for supported product lines, recommending customers upgrade to version 13.1-59.19 or 14.1-47.46, while older builds of FIPS and NDcPP variants also require updates. The NCSC released a detection script and advised administrators to assume compromise if indicators are found, and the U.S. Cybersecurity and Infrastructure Security Agency has added the bug to its Known Exploited Vulnerabilities catalogue, mandating prompt remediation across federal networks.