What is CVE-2025-6543 and why is it critical?

CVE-2025-6543 (CVSS score 9.2) is a critical security vulnerability in Citrix NetScaler ADC and NetScaler Gateway products that has been actively exploited before patches were available. Citrix confirmed that 'exploits of CVE-2025-6543 on unmitigated appliances have been observed,' making immediate patching essential.

What type of vulnerability is CVE-2025-6543?

CVE-2025-6543 is a memory overflow defect that can be exploited by attackers to achieve unintended control flow and denial of service conditions. However, cybersecurity experts have questioned this characterization, with some suggesting the vulnerability metrics point to code execution capabilities rather than simple service disruption.

What other critical vulnerabilities were disclosed alongside CVE-2025-6543?

Two other critical vulnerabilities were disclosed: CVE-2025-5777 (CVSS 9.3), an out-of-bounds memory read vulnerability compared to the infamous CVE-2023-4966 'CitrixBleed' vulnerability, and CVE-2025-5349 (CVSS 8.7), an improper access control vulnerability affecting the NetScaler Management Interface.

How does CVE-2025-5777 compare to the 2023 CitrixBleed vulnerability?

Security researchers have compared CVE-2025-5777 to the infamous CVE-2023-4966 'CitrixBleed' vulnerability that caused widespread damage in 2023. This vulnerability could allow attackers to steal valid session tokens or other sensitive information from the memory of NetScaler devices through malformed requests.

Which NetScaler versions are affected by these vulnerabilities?

Vulnerable devices include NetScaler ADC and Gateway Version 14.1 before 14.1-47.46, Version 13.1 before 13.1-59.19, NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP. End-of-life versions 12.1 and 13.0 are also vulnerable but no longer supported.

Why is immediate patching so urgent for these NetScaler vulnerabilities?

Immediate patching is urgent because CVE-2025-6543 is already being actively exploited in the wild, the vulnerabilities have critical CVSS scores (9.2 and 9.3), they can be exploited without authentication, and one vulnerability is being compared to the devastating 2023 CitrixBleed incident that caused widespread damage.

What should organizations with end-of-life NetScaler versions do?

Organizations running end-of-life versions 12.1 and 13.0 should upgrade to a supported version immediately, as these versions are no longer receiving security updates. This makes them particularly vulnerable to ongoing and future exploitation attempts.

What makes this NetScaler vulnerability disclosure particularly concerning?

This disclosure is particularly concerning because it involves active exploitation of a critical vulnerability before patches were available, expert skepticism about the vendor's impact assessment suggesting more severe consequences than reported, comparison to the devastating 2023 CitrixBleed incident, and the combination of three critical vulnerabilities disclosed simultaneously. The fact that cybersecurity experts believe the impact may be more severe than Citrix describes, combined with confirmed active exploitation, makes this an extremely urgent security situation for NetScaler users.

Attack

Citrix releases emergency patches for actively exploited vulnerability in NetScaler Products

Q: What configuration is required for CVE-2025-6543 to be exploitable?

Successful exploitation requires that the targeted NetScaler instances be configured as either a Gateway virtual server (including VPN virtual server, ICA Proxy, Clientless VPN, or RDP Proxy) or as an Authentication, Authorization, and Accounting (AAA) virtual server. The vulnerability can be triggered by unauthenticated remote requests.

published: June 25, 2025

Take action: This is now important and URGENT. Your Citrix NetScaler ADC or Gateway, exposed on the internet, they are actively attacked and exploited. Also, there seems to be some indisclosed severity in the three latest critical flaws and possibility of a repeat of the CitrixBleed incident from 2023. Immediately update to the latest patched versions (14.1-47.46, 13.1-59.19, or 13.1-37.236-FIPS). After patching, you must also terminate all active ICA and PCoIP sessions to prevent attackers from using stolen session tokens. If you have end-of-life devices, shut them down NOW - they will be hacked.

Learn More

Citrix has patched a critical security actively exploited vulnerability in its NetScaler ADC (Application Delivery Controller) and NetScaler Gateway products.

The vulnerability is tracked as CVE-2025-6543 (CVSS score 9.2), which has been actively exploited before patches were released available. Citrix confirmed in their security bulletin that "exploits of CVE-2025-6543 on unmitigated appliances have been observed,"

The vulnerability is a memory overflow defect that can be exploited by attackers to achieve unintended control flow and denial of service conditions. Cybersecurity experts have raised questions about Citrix's characterization of the vulnerability's impact. Ben Harris, CEO and founder of watchTowr, expressed skepticism about the denial-of-service description, noting that the CVSS score metrics indicate more serious consequences. "We believe with high confidence that this isn't a denial of service as it is being positioned," Harris stated, suggesting that the vulnerability metrics point to code execution capabilities rather than simple service disruption.

Successful exploitation of CVE-2025-6543 requires that the targeted NetScaler instances be configured as either a Gateway virtual server (including VPN virtual server, ICA Proxy, Clientless VPN, or RDP Proxy) or as an Authentication, Authorization, and Accounting (AAA) virtual server. The vulnerability can be triggered by unauthenticated remote requests.

The disclosure comes alongside two other critical vulnerabilities in NetScaler products:

CVE-2025-5777 (CVSS score 9.3): An out-of-bounds memory read vulnerability caused by insufficient input validation. Security researchers have compared this flaw to the infamous CVE-2023-4966 "CitrixBleed" vulnerability that caused widespread damage in 2023. This vulnerability could allow attackers to steal valid session tokens or other sensitive information from the memory of NetScaler devices through malformed requests.
CVE-2025-5349 (CVSS score 8.7): An improper access control vulnerability affecting the NetScaler Management Interface.

Vulnerable devices

NetScaler ADC and NetScaler Gateway:

Version 14.1 before 14.1-47.46
Version 13.1 before 13.1-59.19

NetScaler ADC 13.1-FIPS and NDcPP:

Before 13.1-37.236-FIPS and NDcPP

End-of-life versions (no longer supported):

NetScaler ADC and Gateway versions 12.1 and 13.0

Citrix has released patches in NetScaler ADC and Gateway 14.1-47.46, 13.1-59.19, and ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236. For organizations running end-of-life versions 12.1 and 13.0, Citrix strongly recommends upgrading to a supported version immediately.

Charles Carmakal, Mandiant Consulting Chief Technology Officer, emphasized the urgency of the situation in a LinkedIn post, urging Citrix customers to patch both vulnerabilities "immediately." He noted that organizations must not only upgrade their NetScaler software but also terminate all active ICA and PCoIP sessions after upgrading, from the lessons learned from the 2023 CitrixBleed incident where many organizations failed to take this step.

As of 12th of August 2025, the Netherlands' National Cyber Security Centre (NCSC) is warning that a the CVE-2025-6543 Citrix NetScaler vulnerability was exploited to breach "critical organizations" in the country.

Citrix releases emergency patches for actively exploited vulnerability in NetScaler Products

Read More
Seven year old MS office bug still used …
CISA reports active exploitation of critical Fortinet authentication …
Google urgently patches actively exploited Chrome flaw - …
Check Point warns that hackers target local VPN …
CISA warns of actively exploited NextGen Healthcare Mirth …