⚠️ You’re about to leave this site and be redirected to:

Skip to content Dark Web Informer - Cyber Threat Intelligence

⚠️ You’re about to leave this site and be redirected to:

Support
Sign In Subscribe
Vulnerabilities

Security Advisory: Citrix NetScaler ADC / Gateway – CVE‑2025‑6543

 and  Dark Web Informer - Cyber Threat Intelligence
2 min read

Published: June 25, 2025
CVSS Score: 9.2 (Critical)
Affected Products:

  • NetScaler ADC & NetScaler Gateway 14.1 prior to 14.1-47.46
  • NetScaler ADC & Gateway 13.1 prior to 13.1-59.19
  • End-of-life versions 13.0 and 12.1
  • NetScaler ADC 13.1-FIPS / NDcPP prior to 13.1-37.236-FIPS / NDcPP

🔍 Vulnerability Summary

A critical memory overflow—classified as CWE‑119—exists in Citrix NetScaler ADC and Gateway appliances when configured as VPN/ICA Proxy/CVPN/RDP Proxy or AAA virtual servers. It allows an unauthenticated remote attacker to control program flow, possibly triggering denial-of-service (DoS) or even enabling further compromise access.

⚠️ Real-World Exploitation

Citrix confirms the vulnerability is already being exploited in the wild on unpatched systems. While technical details of the exploit remain undisclosed, Citrix and cybersecurity outlets report that targeting internal gateway functions has allowed remote, unauthenticated attackers to trigger the flaw.

✅ Mitigation & Recommendations

  1. Patch immediately: Upgrade to secure builds:
    • 14.1 → 14.1-47.46 or later
    • 13.1 → 13.1-59.19 or later
    • 13.1-FIPS/NDcPP → 13.1-37.236-FIPS/NDcPP or later
    • End-of-life 12.1 and 13.0 users must upgrade to supported versions
  2. Isolate vulnerable servers: If upgrades aren’t immediately possible, segment or restrict external access to affected NetScaler appliances.
  3. Enable logging and traffic monitoring: Spot unusual or malicious activity directed toward gateway services.
  4. Vendor guidance: Keep an eye on Citrix KB article CTX694788 for updates and patches.

🧩 Business & Security Impact

  • Confidentiality / Integrity / Availability: All three are at risk in configurations using affected proxy services .
  • Attack surface: Network-accessible VPN/RDP proxy servers are directly vulnerable, making exploits feasible even without user interaction or credentials.
  • Exploitability: High. Active exploitation means organizations running unpatched NetScaler Gateway ADC appliances are at immediate risk.

📅 Timeline

  • June 25, 2025, 9:15 AM: CVE entry added by Citrix.
  • June 25, 2025 (same day): Emergency patches released and active exploitation publicly confirmed.

🔧 Action Plan for Administrators

TaskDescription
1. InventoryIdentify all NetScaler ADC/Gateway instances, especially those acting as VPN, ICA/CVPN, RDP, or AAA proxies.
2. Apply patchesUpdate affected versions to the secure builds ASAP.
3. Tighten accessUse network ACLs/firewalls to limit access to vulnerable servers before patching.
4. Monitor systemsWatch for anomalies—especially external connections triggering memory overflows.
5. Keep informedCheck Citrix forums and CTX694788 for any further advisories or hotfixes.

📝 Final Thoughts

CVE‑2025‑6543 represents a dangerous combination: a critical memory overflow in widely used Citrix appliances that is actively exploited. Organizations must prioritize patching and hardening their NetScaler deployments today. Delaying updates risks full compromise of VPN/Gateway infrastructure, leading to data breaches, operational disruptions, or worse.

(This advisory is based on publicly available details as of June 25, 2025.)

Sources:

Related

Latest