Description of Problem
A vulnerability has been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Refer below for further details.
Affected Versions
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.46
NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.19
NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.236-FIPS and NDcPP
NetScaler ADC 12.1-FIPS is not affected by this vulnerability.
Additional Note: Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. Customers need to upgrade these NetScaler instances to the recommended NetScaler builds to address the vulnerabilities.
This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades the Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates.
Details
NetScaler ADC and NetScaler Gateway contain the vulnerability mentioned below:
CVE-ID
Description Pre-conditions CWE CVSSv4
CVE-2025-6543
Memory overflow vulnerability leading to unintended control flow and Denial of Service
NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
CVSS v4.0 Base Score: 9.2
(CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L)
What Customers Should Do
Exploits of CVE-2025-6543 on unmitigated appliances have been observed.
Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.
NetScaler ADC and NetScaler Gateway 14.1-47.46 and later releases
NetScaler ADC and NetScaler Gateway 13.1-59.19 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP. Customers should contact support - https://support.citrix.com/support-home/home to obtain the 13.1-FIPS and 13.1-NDcPP builds that address this issue.
Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and no longer supported. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.
GreyNoise has identified a notable surge in scanning activity targeting MOVEit Transfer systems, beginning on May 27, 2025. Prior to this date, scanning was minimal — typically fewer than 10 IPs observed per day.
Roughly 16% of Swiss federal politicians had their official government email leaked on the dark web. This puts them at risk of phishing attacks or blackmail.
In the latest installment of our investigation into politicians’ cybersecurity practices, we found the official government email addresses of 44 Swiss politicians for sale on the dark web, roughly 16% of the 277 emails we searched. Constella Intelligence(new window) helped us compile this information.
Sharp-eyed readers might wonder why we searched for 277 email addresses if there are only 253 politicians between the Council of States, Federal Council, and National Council. The explanation is some politicians publicly share another email address along with their official government one. In these cases, we searched for both.
Since these email addresses are all publicly available, it’s not an issue that they’re on the dark web. However, it is an issue that they appear in data breaches, meaning Swiss politicians violated cybersecurity best practices and used their official emails to create accounts with services like Dropbox, LinkedIn, and Adobe, although there is evidence some Swiss politicians used their government email address to sign up for adult and dating platforms.
We’re not sharing identifying information for obvious reasons, and we notified every affected politician before we published this article.
Swiss politicians performed roughly as well as their European colleagues, having few fewer elected officials with exposed information than the UK (68%), the European Parliament (41%), and France (18%), and only slightly more than Italy (15%).
It should be noted that even a single compromised account could have significant ramifications on national security. And this isn’t a hypothetical. The Swiss government is actively being targeted on a regular basis. In 2025, hackers used DDoS attacks(new window) to knock the Swiss Federal Administration’s telephones, websites, and services offline. In 2024, Switzerland’s National Cyber Security Center published a report stating the Play ransomware group stole 65,000 government documents(new window) containing classified information from a government provider.
ATO’s 76th summit, which will be held June 24-25, 2025, in The Hague, Netherlands, comes at a time as the alliance’s member countries grapple with a rapidly changing global security dynamic. Russia continues to press on with its war campaign in Ukraine despite efforts to achieve a cease fire. Deep questions remain over the U.S. military commitment to Ukraine and if the U.S. would assist Europe if a conflict surfaced as required under Article 5 of NATO’s founding treaty. Israel undertook bombing strikes against Iran on the pretence that Iran was edging close to building viable nuclear weapons, which was followed by U.S. airstrikes. Since the previous summit, the leaders of European NATO countries have shown a dramatic change in rhetoric regarding the need to take on greater responsibility for security on the European continent, particularly as it pertains to increases in defense spending and military assistance to Ukraine. With an anticipated ambitious agenda, evidence of a clear rift in transatlantic relations and the alliance’s global super power distracted with other priorities, the summit could be hampered by disruption and division. This environment is ripe for cyber threats, prompting NATO member states to be on the look out for activity that could impact critical infrastructure entities. These threats could come from ideological and politically motivated attackers, who may seek to draw attention through distributed denial-of-service (DDoS) attacks, data leaks and website defacements affecting NATO nations. This blog, which draws on Intel 471’s Cyber Geopolitical Intelligence, will outline the issues at hand at the summit, the challenges facing NATO and look at the possible cyber threats.
Hacktivist attacks surge on U.S. targets after Iran bombings, with groups claiming DDoS hits on military, defense, and financial sectors amid rising tensions.
The U.S. has become a target in the hacktivist attacks that have embroiled several Middle Eastern countries since the start of the Israel-Iran conflict.
Several hacktivist groups have claimed DDoS attacks against U.S. targets in the wake of U.S. airstrikes on Iranian nuclear sites on June 21.
The attacks—most notably from hacktivist groups Mr Hamza, Team 313, Cyber Jihad, and Keymous+—targeted U.S. Air Force domains, major U.S. Aerospace and defense companies, and several banks and financial services companies.
The cyberattacks follow a broader campaign against Israeli targets that began after Israel launched attacks on Iranian nuclear and military targets on June 13. Israel and Iran have exchanged missile and drone strikes since the conflict began, and Iran also launched missiles at a U.S. military base in Qatar on June 23.
The accompanying cyber warfare has included DDoS attacks, data and credential leaks, website defacements, unauthorized access, and significant breaches of Iranian banking and cryptocurrency targets by Israel-linked Predatory Sparrow. Electronic interference with commercial ship navigation systems has also been reported in the Strait of Hormuz and the Persian Gulf.
An AI Researcher at Neural Trust has discovered a novel jailbreak technique that defeats the safety mechanisms of today’s most advanced Large Language Models (LLMs). Dubbed the Echo Chamber Attack, this method leverages context poisoning and multi-turn reasoning to guide models into generating harmful content, without ever issuing an explicitly dangerous prompt.
Unlike traditional jailbreaks that rely on adversarial phrasing or character obfuscation, Echo Chamber weaponizes indirect references, semantic steering, and multi-step inference. The result is a subtle yet powerful manipulation of the model’s internal state, gradually leading it to produce policy-violating responses.
In controlled evaluations, the Echo Chamber attack achieved a success rate of over 90% on half of the categories across several leading models, including GPT-4.1-nano, GPT-4o-mini, GPT-4o, Gemini-2.0-flash-lite, and Gemini-2.5-flash. For the remaining categories, the success rate remained above 40%, demonstrating the attack's robustness across a wide range of content domains.
The Echo Chamber Attack is a context-poisoning jailbreak that turns a model’s own inferential reasoning against itself. Rather than presenting an overtly harmful or policy-violating prompt, the attacker introduces benign-sounding inputs that subtly imply unsafe intent. These cues build over multiple turns, progressively shaping the model’s internal context until it begins to produce harmful or noncompliant outputs.
The name Echo Chamber reflects the attack’s core mechanism: early planted prompts influence the model’s responses, which are then leveraged in later turns to reinforce the original objective. This creates a feedback loop where the model begins to amplify the harmful subtext embedded in the conversation, gradually eroding its own safety resistances. The attack thrives on implication, indirection, and contextual referencing—techniques that evade detection when prompts are evaluated in isolation.
Unlike earlier jailbreaks that rely on surface-level tricks like misspellings, prompt injection, or formatting hacks, Echo Chamber operates at a semantic and conversational level. It exploits how LLMs maintain context, resolve ambiguous references, and make inferences across dialogue turns—highlighting a deeper vulnerability in current alignment methods.
AI firm DeepSeek is aiding China's military and intelligence operations, a senior U.S. official told Reuters, adding that the Chinese tech startup sought to use Southeast Asian shell companies to access high-end semiconductors that cannot be shipped to China under U.S. rules.
The U.S. conclusions reflect a growing conviction in Washington that the capabilities behind the rapid rise of one of China's flagship AI enterprises may have been exaggerated and relied heavily on U.S. technology.
Hangzhou-based DeepSeek sent shockwaves through the technology world in January, saying its artificial intelligence reasoning models were on par with or better than U.S. industry-leading models at a fraction of the cost.
"We understand that DeepSeek has willingly provided and will likely continue to provide support to China's military and intelligence operations," a senior State Department official told Reuters in an interview.
"This effort goes above and beyond open-source access to DeepSeek's AI models," the official said, speaking on condition of anonymity in order to speak about U.S. government information.
The U.S. government's assessment of DeepSeek's activities and links to the Chinese government have not been previously reported and come amid a wide-scale U.S.-China trade war.
The ICO said over 150,000 U.K. residents had data stolen in the breach.
The U.K. data protection watchdog has fined 23andMe £2.31 million ($3.1 million) for failing to protect U.K. residents’ personal and genetic data prior to its 2023 data breach.
The Information Commissioner’s Office (ICO) said on Tuesday it has fined the genetic testing company as it “did not have additional verification steps for users to access and download their raw genetic data” at the time of its cyberattack.
In 2023, hackers stole private data on more than 6.9 million users over a months-long campaign by accessing thousands of accounts using stolen credentials. 23andMe did not require its users to use multi-factor authentication, which the ICO said broke U.K. data protection law.
The ICO said over 155,000 U.K. residents had their data stolen in the breach.
In response to the fine, 23andMe told TechCrunch that it had rolled out mandatory multi-factor authentication for all accounts.
The ICO said it is in contact with 23andMe’s trustee following the company’s filing for bankruptcy protection. A hearing on 23andMe’s sale is expected later on Wednesday.
Jun 18, 2025, 19:09 GMT+1
Iran’s state broadcaster was hacked Wednesday night, with videos calling for street protests briefly aired.
Footage circulated on social media showed protest-themed clips interrupting regular programming.
"If you experience disruptions or irrelevant messages while watching various TV channels, it is due to enemy interference with satellite signals," state TV said.
The hacking of the programming on Wednesday night was limited to satellite transmissions, the Islamic Republic of Iran Broadcasting (IRIB) said.
Global banking giant UBS has suffered a data breach following a cyber-attack on a third-party supplier.
In a statement emailed to Infosecurity, a UBS spokesperson confirmed a breach had occurred, but it had not impacted customer data or operations.
“A cyber-attack at an external supplier has led to information about UBS and several other companies being stolen. No client data has been affected. As soon as UBS became aware of the incident, it took swift and decisive action to avoid any impact on its operations,” the UBS statement read.
Swiss-based newspaper Le Temps reported that information about 130,000 UBS employees had been published on the dark web by a ransomware group called World Leaks, previously known as Hunters International, following the incident.
This data includes business contact details, including phone number, their job role and details of their location and floor they work on.
The direct phone number of UBS CEO Sergio Ermotti was reportedly included in the published data.
UBS also confirmed to Infosecurity that the external supplier at the center of the incident was procurement service provider Swiss-based Chain IQ.
Another Chain IQ client, Swiss private bank Pictet, also revealed it had suffered a data breach as a result of the attack. Pictet said in statement published by Reuters that the information stolen did not contain its client data and was limited to invoice information with some of the bank's suppliers, such as technology providers and external consultants.
At the time of writing, it is not known whether any other Chain IQ customers have been impacted.
News broke today about "one of the largest data breaches in history," sparking wide media coverage filled with warnings and fear-mongering. However, it appears to just be a compilation of previously leaked credentials stolen by infostealers, exposed in data breaches, and via credential stuffing attacks.
To be clear, this is not a new data breach, or a breach at all, and the websites involved were not recently compromised to steal these credentials.
Instead, these stolen credentials were likely circulating for some time, if not for years. It was then collected by a cybersecurity firm, researchers, or threat actors and repackaged into a database that was exposed on the Internet.
Cybernews, which discovered the briefly exposed datasets of compiled credentials, stated it was stored in a format commonly associated with infostealer malware, though they did not share samples
An infostealer is malware that attempts to steal credentials, cryptocurrency wallets, and other data from an infected device. Over the years, infostealers have become a massive problem, leading to breaches worldwide.
...
The infostealer problem has gotten so bad and pervasive that compromised credentials have become one of the most common ways for threat actors to breach networks.
The company has not disclosed how many users were affected or whether any wallets were compromised as a result of the exploit.
Hackers exploited a vulnerability in CoinMarketCap’s front-end system, using a seemingly harmless doodle image to inject malicious code that triggered fake wallet verification pop-ups across the site.
The breach, confirmed by CoinMarketCap, used its backend API to deliver a manipulated JSON payload that embedded JavaScript into the homepage according to blockchain security firm Coinspect Security.
Business leaders need to stay up to date with geopolitics to keep their cybersecurity strategies up to date and mitigate the risks posed by state-backed hacker groups.
This is the message that Paul Chichester, director of operations at the UK’s National Cyber Security Centre (NCSC), delivered to attendees at a keynote session of Infosecurity Europe 2025.
The call to action from Chichester came as states known to support threat actors and engage in cyber attacks of their own step up efforts to disrupt critical infrastructure
Chichester said Russia’s cyber capabilities in particular have improved in recent years, with its invasion of Ukraine used as an opportunity to hone offensive cyber techniques. Along with Russia, Chichester focused on the threat China-backed groups pose to both public and private organizations.
“I'll come back to this a few times, but states don't do hacking for fun,” Chichester said.
“They do not do things for the sake of it. There is always a reason. We might not know the reason sometimes and that's quite a challenge for us, but we shouldn't assume that they're just doing it because they can.”
Chichester urged businesses who are being targeted by a state APT to carefully consider why and to assess how geopolitics feeds into their defensive strategies.
Imperva’s Offensive Security Team discovered CVE-2025-49763, a high-severity vulnerability (CVSS v3.1 estimated score: 7.5) in Apache Traffic Server’s ESI plugin that enables unauthenticated attackers to exhaust memory and potentially crash proxy nodes. Given ATS’s role in global content delivery[1], even a single node failure can black-hole thousands of sessions. Organizations should urgently upgrade to version 9.2.11 or 10.0.6 and enforce the new inclusion-depth safeguard.
Why reverse‑proxy servers matter
Every web request you make today almost certainly travels through one or more reverse‑proxy caches before it reaches the origin application. These proxies:
This vulnerability can be exploited via two different ways:
A threat actor could exploit an Edge Side Include injection and recursively inject the same page over and over again.
exploitation via esi injection
A threat actor could also host a malicious server next to a target, behind a vulnerable traffic server proxy and take down the proxy by triggering the ESI request avalanche. (see Fig 2).
exploitation via malicious error
This results in a full denial of service on edge proxy nodes, triggered remotely without requiring authentication.
Attacker rained down the equivalent of 9,300 full-length HD movies in just 45 seconds.
Large-scale attacks designed to bring down Internet services by sending them more traffic than they can process keep getting bigger, with the largest one yet, measured at 7.3 terabits per second, being reported Friday by Internet security and performance provider Cloudflare.
The 7.3Tbps attack amounted to 37.4 terabytes of junk traffic that hit the target in just 45 seconds. That's an almost incomprehensible amount of data, equivalent to more than 9,300 full-length HD movies or 7,500 hours of HD streaming content in well under a minute.
Indiscriminate target bombing
Cloudflare said the attackers “carpet bombed” an average of nearly 22,000 destination ports of a single IP address belonging to the target, identified only as a Cloudflare customer. A total of 34,500 ports were targeted, indicating the thoroughness and well-engineered nature of the attack.
The vast majority of the attack was delivered in the form of User Datagram Protocol packets. Legitimate UDP-based transmissions are used in especially time-sensitive communications, such as those for video playback, gaming applications, and DNS lookups. It speeds up communications by not formally establishing a connection before data is transferred. Unlike the more common Transmission Control Protocol, UDP doesn't wait for a connection between two computers to be established through a handshake and doesn't check whether data is properly received by the other party. Instead, it immediately sends data from one machine to another.
The government cited the recent hacks on Bank Sepah and cryptocurrency exchange Nobite as reasons to shut down internet access to virtually all Iranians.
Earlier this week, virtually everyone in Iran lost access to the internet in what was called a “near-total national internet blackout.”
At the time, it was unclear what happened or who was responsible for the shutdown, which has severely limited Iranians’ means to get information about the ongoing war with Israel, as well as their ability to communicate with loved ones inside and outside of the country.
Now Iran’s government has confirmed that it ordered the shutdown to protect against Israeli cyberattacks.
“We have previously stated that if necessary, we will certainly switch to a national internet and restrict global internet access. Security is our main concern, and we are witnessing cyberattacks on the country’s critical infrastructure and disruptions in the functioning of banks,” Fatemeh Mohajerani, Iran’s government spokesperson, was quoted as saying in a local news story. “Many of the enemy’s drones are managed and controlled via the internet, and a large amount of information is exchanged this way. A cryptocurrency exchange was also hacked, and considering all these issues, we have decided to impose internet restrictions.”
Les systèmes informatiques de la commune de Villars-sur-Glâne ont été la cible d’une cyberattaque. Des mesures ont immédiatement été prises pour la contrer et sécuriser l’infrastructure.
Selon les premiers éléments de l’investigation, des connexions non autorisées ont été effectuées sur certains serveurs de la commune mercredi matin. Il s'agirait d'une tentative d'attaque de type rançongiciel qui demanderait une somme d'argent en échange de la libération des données volées. Des mesures de protection immédiates ont été prises et aucun dommage supplémentaire n'est possible. Une analyse est en cours et permettra d'obtenir plus d'informations sur l'attaque.
"C'est à chacun de se rendre compte que l'informatique est à la fois extraordinaire pour la quantité de données que l'on peut conserver, mais c'est aussi extrêmement fragile si l'on n'a pas une approche rigoureuse", rappelle le syndic de Villars-sur-Glâne, Bruno Mamier.
L’incident a été signalé à la police cantonale, à l’Office fédéral de la cybersécurité (OFCS) et à l’autorité cantonale de la transparence, de la protection des données et de la médiation.
En raison de cet incident, les lignes téléphoniques principales ont été déviées. En cas de questions, les habitants de la commune peuvent se rendre à l'administration ou suivre l’évolution de la situation sur la page internet suivante.
Le syndic invite les personnes dont la démarche administrative n'est pas urgente à se rendre à l'administration communale la semaine prochaine.
Tonga’s National Health Information System (NHIS) suffered a ransomware breach this week, says Dr ʻAna ʻAkauʻola his evening. The system has been shut down, and staff moved to manual operations.
The breach came to light during a parliament debate on the MEIDECC budget, when Deputy PM Dr Taniela Fusimalohi alerted MPs to the intrusion. Dr ʻAkauʻola confirmed she learned of the hack earlier this week and immediately summoned system administrators. She noted that staff member managing the NHIS “was unaware that it was a serious breach.”
The minister disclosed that hackers encrypted the NHIS and demanded payment, assuring MPs “the hackers won’t damage the information on the NHIS.” She also said she promptly emailed Dr Fusimalohi when she knew of the breach, who engaged the Australian High Commission.
Dr Fusimalohi confirmed an Australian cyber team arrived in Tonga today to help resolve the issue.
June 19 (Reuters) - Tata Consultancy Services (TCS.NS), opens new tab said none of its "systems or users were compromised" as part of the cyberattack that led to the theft of customer data at retailer Marks and Spencer (MKS.L), opens new tab, its client of more than a decade.
"As no TCS systems or users were compromised, none of our other customers are impacted" independent director Keki Mistry told its annual shareholder meeting.
The Reuters Daily Briefing newsletter provides all the news you need to start your day. Sign up here.
"The purview of the investigation (of customer) does not include TCS," Mistry added.
This is the first time India's No 1 IT services company has publicly commented on the cyber hack. M&S did not immediately respond to a request for comment.
TCS is one of the technology services providers for the British retailer. In early 2023, TCS reportedly, opens new tab won a $1 billion contract for modernising M&S' legacy technology with respect to its supply chain and omni-channel sales while increasing its online sales.
The "highly sophisticated and targeted" cyberattack which M&S disclosed in April will cost about 300 million pounds ($403 million) in lost operating profit, and disruption to online services is likely until July.
Last month, Financial Times reported that TCS is internally investigating whether it was the gateway for a cyberattack.
Mistry presided as the chairman at the company's annual shareholder meeting as Tata Group Chairman N Chandrasekaran skipped it due to "exigencies".
The chairman's absence comes as the Group's airline Air India plane with 242 people on board crashed after take-off in Ahmedabad last week, killing all passengers except one.
Reporting by Sai Ishwarbharath B and Haripriya Suresh, Editing by Louise Heavens
Securonix Threat Research uncovers SERPENTINE#CLOUD, a stealthy malware campaign abusing Cloudflare Tunnels to deliver in-memory Python-based payloads via .lnk phishing lures. Learn how this multi-stage attack evades detection, establishes persistence, and executes Donut-packed shellcode using Early Bird APC injection.
An ongoing malware campaign tracked as SERPENTINE#CLOUD has been identified as leveraging the Cloudflare Tunnel infrastructure and Python-based loaders to deliver memory-injected payloads through a chain of shortcut files and obfuscated scripts. For initial access, the threat actors are luring users to execute malicious .lnk files (shortcut files) disguised as documents to silently fetch and execute remote code. This kicks off a rather elaborate attack chain consisting of a combination of batch, VBScript and Python stages to ultimately deploy shellcode that loads a Donut-packed PE payload.
The shortcut files are delivered via phishing emails that contain a link to download a zipped document, often themed around payment or invoice scams. This assessment is based on the naming convention of the ZIP files observed, many of which included the word “invoice.”
Attribution remains unknown, though the attacker demonstrates fluency in English based on code comments and scripting practices. Telemetry indicates a strong focus on Western targets, with confirmed activity observed in the United States, United Kingdom, Germany and other regions across Europe and Asia. The use of Cloudflare for payload hosting allows the attackers to remain anonymous and since their infrastructure is secured behind a trusted network, monitored traffic to this network will rarely raise alarms or be flagged as suspicious by network monitoring tools.
