Citrix has released security updates to address a critical flaw affecting NetScaler ADC that it said has been exploited in the wild.
The vulnerability, tracked as CVE-2025-6543, carries a CVSS score of 9.2 out of a maximum of 10.0.
It has been described as a case of memory overflow that could result in unintended control flow and denial-of-service. However, successful exploitation requires the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
The shortcoming impacts the below versions -
- NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46
- NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19
- NetScaler ADC and NetScaler Gateway 12.1 and 13.0 (vulnerable and end-of-life)
- NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP
"Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities," Citrix said.
"Customers need to upgrade these NetScaler instances to the recommended NetScaler builds to address the vulnerabilities."
The company did not reveal how the flaw is being exploited in real-world attacks, but said "exploits of CVE-2025-6543 on unmitigated appliances have been observed."
The disclosure comes shortly after Citrix patched another critical-rated security flaw in NetScaler ADC (CVE-2025-5777, CVSS score: 9.3) that could be exploited by threat actors to gain access to susceptible appliances.
Update
Rapid7, in an advisory released on June 27, 2025, said the proviso that a vulnerable NetScaler instance must be configured as either a Gateway or a AAA virtual server to exploit CVE-2025-6543 is "common" and that it's "the same prerequisite for the 2023 vulnerability CVE-2023-4966 (aka Citrix Bleed), that saw broad exploitation in the wild at that time."
"CVE-2025-6543 is a memory overflow vulnerability leading to unintended control flow and denial-of-service," NetScaler said in an alert. "CVE-2025-5777 arises from insufficient input validation leading to memory overread."
The company also emphasized that there are no workarounds for both the vulnerabilities beyond upgrading to a build that addresses them. "For customers with affected deployments, immediate installation of the recommended updates is critically important due to the identified severity of this vulnerability and evidence of active exploitation," Anil Shetty said.
In a related bulletin, Tenable noted that unlike CVE-2025-6543, there is no evidence that CVE-2025-5777 was exploited as a zero-day. However, there are indications that it's being currently weaponized post public disclosure.
"CVE-2025-5777 is an out-of-bounds read vulnerability affecting Citrix NetScaler ADC and Gateway," security researcher Scott Caveza said. "Successful exploitation of this vulnerability would allow an attacker to read memory on an affected device, giving the attacker access to sensitive data including session tokens."
A threat actor could then use these session tokens to bypass multi-factor authentication (MFA) protections and take control over an authenticated session.
ReliaQuest said CVE-2025-5777 shares similarities CVE-2023-4966 when it comes to bypassing authentication and enabling session hijacking, but also introduces new risks by targeting session tokens instead of session cookies.
"Session tokens are typically used in broader authentication frameworks, such as API calls or persistent application sessions," the company said. "This means that attackers could potentially maintain access longer and operate across multiple systems without detection, even after the user has terminated the browser session."
