Urgent Citrix NetScaler Alert: Critical Memory Overflow Flaw (CVE-2025-6543, CVSS 9.2) Actively Exploited on 2,100+ Unpatched Appliances

A critical security flaw tracked as CVE-2025-6543 is being actively exploited in the wild, prompting urgent warnings from Citrix and inclusion in CISA’s Known Exploited Vulnerabilities (KEV) Catalog. The vulnerability affects NetScaler ADC and NetScaler Gateway appliances and can be triggered remotely and without authentication, leading to denial-of-service (DoS) conditions and widespread disruption.

“Exploits of CVE-2025-6543 on unmitigated appliances have been observed,” Citrix warned in a recent advisory.

Internally referenced by Citrix as CTX694788, CVE-2025-6543 is a buffer overflow flaw that impacts devices configured as a Gateway—including:

• VPN virtual servers
• ICA Proxies
• Clientless VPNs (CVPN)
• RDP Proxies
• AAA virtual servers

By sending crafted network requests, attackers can crash the affected appliances, effectively knocking entire services offline. This vulnerability is particularly dangerous due to its unauthenticated remote nature, requiring no prior access or credentials.

The following versions are vulnerable if not updated:

• NetScaler ADC and Gateway 14.1 before 14.1-47.46
• NetScaler ADC and Gateway 13.1 before 13.1-59.19
• NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP

Although Citrix released patches to address this vulnerability, many systems remain exposed. The internet security nonprofit Shadowserver Foundation have identified over 2,100 NetScaler appliances that are still unpatched and susceptible to active DoS attacks exploiting CVE-2025-6543.

Citrix has issued updates that fully address CVE-2025-6543 in the following builds:

• 14.1-47.46
• 13.1-59.19
• 13.1-37.236-FIPS and 13.1-37.236-NDcPP

If you are running older versions of NetScaler ADC or Gateway, especially in Gateway mode, immediate patching is strongly advised.

In response to the active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the vulnerability no later than July 21, 2025.

Agencies and organizations are urged to apply the patches immediately and verify that any internet-facing NetScaler instances are not configured as vulnerable Gateway services unless absolutely necessary.

Related Posts:

• Citrix Alerts on Global Password Spraying Campaigns Targeting NetScaler Appliances
• Citrix NetScaler Under Siege: Significant Increase in Brute Force Attacks Observed
• CVE-2024-6235: NetScaler Console Flaw Enables Admin Access, PoC Publishes
• Critical NetScaler Flaws Allow Access Control Bypass & Memory Overread