Analysis Summary

Citrix has issued security patches for a newly discovered, actively exploited critical vulnerability CVE-2025-6543 affecting NetScaler ADC and NetScaler Gateway. The flaw, rated with a CVSS score of 9.2, is a memory overflow issue that can result in unintended control flow or denial-of-service (DoS). Exploitation of this vulnerability has already been observed in the wild, although Citrix has not provided detailed information about the attacks.

The vulnerability impacts both supported and discontinued versions of NetScaler. Only instances configured as a Gateway (such as VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA (Authentication, Authorization, and Accounting) virtual server are affected.

Fixes for CVE-2025-6543 have been included in the following versions:

• NetScaler ADC and Gateway 14.1-47.46
• NetScaler ADC and Gateway 13.1-59.19
• NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236

Citrix has emphasized that versions 12.1 and 13.0, which are no longer supported, are also vulnerable. Customers using these legacy versions are strongly advised to migrate to supported, patched releases. Additionally, deployments of Secure Private Access on-prem or hybrid using NetScaler are also impacted and require immediate upgrades to secure builds.

This zero-day disclosure follows closely on the heels of another critical NetScaler vulnerability, CVE-2025-5777, disclosed just a week earlier. That bug, rated 9.3 CVSS, involves an out-of-bounds memory read due to inadequate input validation. Security researchers have likened it to CitrixBleed, warning that it could allow attackers to bypass multi-factor authentication by accessing memory and session tokens.

Although CVE-2025-5777 is not yet known to be exploited, security expert has dubbed it CitrixBleed2 and advises organizations to patch immediately, identify exposed instances, and terminate all active sessions to prevent compromise.

Impact

• Denial of Service
• Buffer Overflow
• Remote Code Execution

Indicators of Compromise

CVE

• CVE-2025-6543

Remediation

• Apply patches for NetScaler ADC and Gateway versions 14.1-47.46 and 13.1-59.19 to fix CVE-2025-6543.
• Migrate from unsupported versions 12.1 and 13.0 to patched, supported releases to ensure protection.
• Upgrade Secure Private Access (on-prem or hybrid) NetScaler instances to the latest recommended builds.
• Terminate all active sessions post-patching to clear potentially compromised session tokens.
• Scan networks to identify exposed or outdated NetScaler instances for immediate remediation.
• Restrict public access to vulnerable virtual servers (VPN, ICA Proxy, RDP Proxy, etc.) to reduce risk.
• Enable strict input validation and memory protection mechanisms where applicable.
• Monitor logs and traffic for signs of exploitation or suspicious behavior.
• Subscribe to Citrix security advisories to stay updated on new vulnerabilities and fixes.
• Perform regular vulnerability scans on NetScaler appliances to detect and mitigate risks early.
• Train IT and security staff on secure configuration and incident response procedures for NetScaler systems.