Dutch public prosecution service shuts down due to suspected Citrix NetScaler breach

The Dutch Public Prosecution Service (Openbaar Ministerie - OM) has disconnected all internal systems from the internet after an cybersecurity incident that exploited the "Citrix Bleed 2" NetScaler vulnerability.

This vulnerability affects Citrix NetScaler ADC and Gateway systems configured as Gateway or AAA virtual servers and allows unauthenticated attackers to remotely read sensitive memory content, potentially leading to session hijacking and authentication bypass. 

The National Cyber Security Centre (NCSC) identified a potential security breach in the OM's IT environment. OM severed all internet connections on Friday morning (18th of July 2025). Remote working is no longer possible, and employees can still work at the offices, but without internet access.

Public prosecutors with court hearings scheduled for Friday were advised in advance to download the necessary documents, as access to digital files during hearings could not be guaranteed. Several courts are printing the case files for the prosecutors so that hearings can still go ahead. 

The justice ministry said the department had applied Citrix's recommended patches, but these failed to fully eliminate the flaw. 

Any exposed data in the breach and number of affected individuals have not been disclosed by Dutch authorities. 

Justice minister David van Weel has written a letter about the security issue to notify the Tweede Kamer, the lower house of Dutch parliament. He added that the OM has notified their employees through an internal message.