Citrix forgot to tell you CVE-2025–6543 has been used as a zero day since May 2025

The report details active in-the-wild exploitation of Citrix Netscaler CVE-2025-6543 (a client-certificate memory-overflow leading to remote code execution) used since at least May 2025 to deploy webshells and persistent backdoors across government and legal services; NCSC Netherlands’ analysis is cited, the author describes forensic artifacts (large POSTs to /cgi/api/login, error code 1245184, core dumps), provides IoCs and hunting/mitigation steps, and notes related zero-day exploitation of CVE-2025-5777 (CitrixBleed2).