July 1st, 2025

Actively Exploited Critical Zero-Day Vulnerability in Citrix NetScaler ADC and Gateway (CVE-2025-6543)

Severity Level: Critical

Technical Details

CVE-ID: CVE-2025-6543.
Severity: Critical.
CVSS Score: 9.2 (Critical).
Vulnerability Type: Buffer Overflow.

The vulnerability stems from improper memory bounds checking, leading to a heap buffer overflow in affected NetScaler components. This heap buffer overflow allows remote attackers to manipulate memory and trigger unintended control flow, potentially resulting in remote code execution (RCE) or causing the appliance to crash, leading to a denial-of-service (DoS) condition.

NetScaler ADC is widely used for load balancing, traffic optimization, and securing web applications, while NetScaler Gateway enables secure remote access to internal enterprise resources via VPN or ICA proxy.

On June 25th, 2025, Citrix released emergency patches for a critical heap memory overflow vulnerability (CVE-2025-6543) affecting NetScaler ADC and Gateway Appliances when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. This vulnerability, which has a CVSS score of 9.2 (critical), has been used by attackers “in-the-wild” indicating active zero-day exploitation. This vulnerability impacts several versions of NetScaler, including some that are end-of-life, resulting in denial-of-service (DoS) or unintended control flow if successfully exploited.

Impact

The NetScaler appliance might crash or reboot multiple times, causing disruptions to application and VPN access.
If exploited, attackers could use the compromised NetScaler to access the company’s internal network.
Interruptions in application delivery, remote access, or user authentication could impact operations, productivity, or service-level agreements (SLAs).
If Citrix systems are breached, it may result in regulatory penalties and a loss of customer trust.
Exploitation could allow attackers to capture user credentials or session tokens used to access enterprise resources.
End-of-life versions like 12.1 and 13.0 no longer receive security updates and will remain vulnerable.

The following versions are vulnerable to CVE-2025-6543:

NetScaler ADC and Gateway 14.1: All versions prior to 14.1‑47.46 are impacted.
NetScaler ADC and Gateway 13.1: All versions prior to 13.1‑59.19 are impacted.
NetScaler ADC 13.1‑FIPS and NDcPP: All versions prior to 13.1‑37.236‑FIPS/NDcPP are impacted.

This vulnerability impacts critical infrastructure components that directly affect application availability, performance, and security posture.

Detection Method

To detect potential exploitation of CVE-2025-6543:

Check NetScaler appliance configuration to see if it is used as:
VPN virtual server / ICA Proxy / CVPN / RDP Proxy / AAA virtual server.
Verify the firmware version on affected devices.
Monitor system logs and alerts for unexpected service crashes, traffic anomalies, or CVE-specific IOC matches.
Use threat intelligence feeds and endpoint/network security tools to recognize known exploitation patterns.

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Secure Versions for CVE-2025-6543:

NetScaler ADC & Gateway 14.1 → 14.1-47.46
NetScaler ADC & Gateway 13.1 → 13.1-59.19
NetScaler ADC 13.1-FIPS / NDcPP → 13.1-37.236-FIPS / NDcPP
- For 12.1 and 13.0 versions, migrate to supported versions, as they are end-of-life and will no longer receive patches.

Run the following commands to terminate all active ICA and PCoIP sessions after upgrading all NetScaler appliances in the HA pair or cluster to the fixed builds:

kill icaconnection -all, kill pcoipConnection -all
- Please ensure the formatting remains intact when copying and pasting these commands.

Review and limit the exposure of AAA or VPN virtual servers where not required:

Monitor systems for indications of compromise or unusual activity.
Implement network segmentation and access controls to minimize exposure to potential threats.
Apply virtual patching or WAF rules if an immediate upgrade isn't possible.

Conclusion

CVE-2025-6543 is a critical, actively exploited zero-day vulnerability in NetScaler appliances, demanding urgent patching for all exposed configurations. It presents a significant risk to organizations that use vulnerable configurations, especially those running VPN or AAA services. Immediate patching and configuration review are strongly recommended to prevent potential service disruptions or compromises. Even after patching, forensic validation and session cleanup are essential to address remaining threats. Organizations are encouraged to use automated scanning tools and stay alert for signs of post-exploitation activity.

References

https://thehackernews.com/2025/06/citrix-releases-emergency-patches-for.html

https://www.bleepingcomputer.com/news/security/citrix-warns-of-netscaler-vulnerability-exploited-in-dos-attacks/

https://www.cve.org/CVERecord?id=CVE-2025-6543

https://docs.netscaler.com/en-us/netscaler-console-service/instance-advisory/remediate-vulnerabilities-cve-2025-6543