Urgent Citrix NetScaler Alert: Critical Memory Overflow Flaw (CVE-2025-6543, CVSS 9.2) Actively Exploited
Citrix has issued a warning regarding a newly discovered critical vulnerability in its NetScaler appliances, which is already being actively exploited in the wild. Tracked as CVE-2025-6543, this flaw affects the widely deployed NetScaler ADC and NetScaler Gateway solutions, commonly used by enterprises for remote access and perimeter security.
According to Citrix’s official advisory, exploits targeting this vulnerability have been observed in real-world attacks. With a CVSS score of 9.2, CVE-2025-6543 enables unauthenticated remote attackers to send a specially crafted request that causes the affected appliance to crash and become unresponsive. The impact is a complete denial-of-service condition, which can cripple corporate infrastructure.
The vulnerability affects NetScaler ADC and Gateway versions from 14.1 up to 14.1-47.46, 13.1 up to 13.1-59.19, as well as specialized editions 13.1-FIPS and 13.1-NDcPP up to version 13.1-37.236-FIPS and NDcPP. However, only devices configured as gateways are at risk—these include VPN servers, ICA application proxies, clientless VPN (CVPN) instances, remote desktop proxies, and authentication virtual servers (AAA).
Citrix has released patches to address CVE-2025-6543 (internally tracked as CTX694788). Updates are now available for all affected NetScaler versions. The company strongly urges administrators to apply these patches immediately and review their device configurations.
The emergence of CVE-2025-6543 coincides with another pressing issue in Citrix products, informally dubbed CitrixBleed 2 and tracked as CVE-2025-5777. This vulnerability allows attackers to hijack active user sessions by extracting authentication tokens from device memory—a tactic reminiscent of attacks seen in 2023, when a similar flaw, CitrixBleed, was leveraged against government agencies and major enterprises, often followed by lateral movement across internal networks.
Security experts emphasize that both vulnerabilities are classified as critical and warrant immediate attention from IT departments. In addition to patching, organizations are advised to closely monitor their network appliances, scrutinize active user sessions, and enforce stricter access policies.
As of now, Citrix has not disclosed further technical details regarding the exploitation of CVE-2025-6543.
