This script is provided without any guarantees regarding its effectiveness.
The detection capabilities of this script are based on a limited set of detection rules.
Make sure to follow instructions from the vendor and information listed in advisories regarding vulnerabilities.
Make sure no sensitive information is disclosed when sharing the output of this script.
For interpretation of the output from this scanning script, please forward this information
to your national cybersecurity entity (national CSIRT or otherwise).
The check script looks for specific files on a netscaler environment that give indication for compromise. For usage, refer to the instructions below:
- Upload the detection script
TLPCLEAR_check_script_cve-2025-6543-v1.7.shto a directory on your netscaler appliance such as /tmp (e.g. using the scp command) - Open a (SSH) shell to the appliance and navigate to the directory containing the detection script
- Run the script as follows:
/bin/sh TLPCLEAR_check_script_cve-2025-6543-v1.7.sh - Transfer the following file from the netscaler:
/var/log/custom_checks.log - Inspect the logfile for output. Everything not marked as a "low confidence indicator" should be considered an indicator of compromise and followed up on immediately.
- Share the logfile with your national cyber security incident response entity (CSIRT) such as a NCSC or Govcert for further assistance, for EU: https://csirtsnetwork.eu
Please monitor this repository for changes, additional checks could follow. Feedback and improvements are very much welcomed and can be suggested by opening a Github issue.