Citrix NetScaler Bug CVE-2025-6543 Actively Exploited in the Wild – Patch Now!

CVE-2025-6543 is a critical memory overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway products, formerly known as Citrix ADC and Gateway. The vulnerability allows unauthenticated remote attackers to cause a denial-of-service (DoS) condition by exploiting improperly restricted memory operations. The vulnerability is currently under active exploitation in the wild, making it a high-priority security issue for all organizations deploying affected Citrix infrastructure.

Severity Level: Critical

Vulnerability Details

1. CVE-ID: CVE-2025-6543
2. Type: Memory overflow (buffer overrun)
3. CWE: CWE-119 – Improper Restriction of Operations within the Bounds of a Memory Buffer
4. Attack Vector: Remote, unauthenticated
5. Attack Prerequisites: Affected device must be configured as VPN Virtual Server, ICA Proxy, Clientless VPN (CVPN), RDP Proxy, or AAA Virtual Server
6. Impact: Causes unintended control flow, leading to service crashes
7. CVSS Score: 9.2
8. Affected Versions:
   • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-47.46
   • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-59.19
   • NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP
9. Fixed Versions:
   • NetScaler ADC and NetScaler Gateway 14.1-47.46 and later releases
   • NetScaler ADC and NetScaler Gateway 13.1-59.19 and later releases of 13.1
   • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP. Customers should contact support – https://support.citrix.com/support-home/home to obtain the 13.1-FIPS and 13.1-NDcPP builds that address this issue.

Root Cause

The vulnerability arises due to improper bounds checking in memory handling routines when processing data in NetScaler Gateway and AAA virtual server configurations. This allows attackers to send crafted inputs that overflow internal buffers, potentially altering the control flow of the application and resulting in service termination.

Exploitation Of The Vulnerability

• Active Exploitation: Yes
• Observed Impact: Denial of Service (appliances crash or reboot)
• Threat Activity: Remote attackers are leveraging this flaw to force NetScaler appliances offline.
• Notable Context: Emerged alongside other Citrix vulnerabilities (e.g., CitrixBleed 2 / CVE-2025-5777) which were used in session hijacking campaigns by ransomware groups.

Recommendations

1. There is no official workaround. The only effective mitigation is to upgrade affected NetScaler ADC and Gateway systems to a fixed version as soon as possible.
2. Devices running versions 12.1 and 13.0 are End-of-Life and must be upgraded or taken offline, as they are both vulnerable and unsupported.
3. Limit public exposure of Gateway and AAA virtual servers to trusted IP ranges.
4. Companies should monitor their NetScaler instances for unusual user sessions, abnormal behavior, and review access controls.

Source:

• https://www.bleepingcomputer.com/news/security/citrix-warns-of-netscaler-vulnerability-exploited-in-dos-attacks/
• https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.