CVE-2025-6543

9.8 CRITICAL CISA KEV

Denial of Service

📋 TL;DR

A critical memory overflow vulnerability in NetScaler ADC and NetScaler Gateway allows attackers to manipulate control flow and cause denial of service. Organizations using these products as VPN gateways or AAA servers are affected. The vulnerability can be exploited without authentication.

💻 Affected Systems

Products:

• NetScaler ADC
• NetScaler Gateway

Versions: All supported versions prior to the fixed release

Operating Systems: NetScaler OS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

📦 What is this software?

Netscaler Application Delivery Controller by Citrix

View all CVEs affecting Netscaler Application Delivery Controller →

Netscaler Application Delivery Controller by Citrix

View all CVEs affecting Netscaler Application Delivery Controller →

Netscaler Application Delivery Controller by Citrix

View all CVEs affecting Netscaler Application Delivery Controller →

Netscaler Application Delivery Controller by Citrix

View all CVEs affecting Netscaler Application Delivery Controller →

Netscaler Gateway by Citrix

View all CVEs affecting Netscaler Gateway →

Netscaler Gateway by Citrix

View all CVEs affecting Netscaler Gateway →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to remote code execution, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Denial of service causing VPN/application access disruption and potential information disclosure through memory leaks.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, but still vulnerable to DoS attacks.

🌐 Internet-Facing: HIGH - Directly exploitable from internet when VPN/AAA services are exposed.

🏢 Internal Only: MEDIUM - Lower risk if properly segmented, but still vulnerable to internal threats.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CISA has added to Known Exploited Vulnerabilities catalog, indicating active exploitation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Refer to Citrix advisory CTX694788 for specific fixed versions

Vendor Advisory: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788

Restart Required: Yes

Instructions:

1. Review Citrix advisory CTX694788 2. Download appropriate firmware update 3. Backup configuration 4. Apply update during maintenance window 5. Reboot system 6. Verify patch installation

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to vulnerable services to trusted networks only

Disable Unnecessary Services

all

Disable vulnerable configurations if not required

🧯 If You Can't Patch

• Implement strict network access controls to limit exposure
• Deploy additional monitoring and intrusion detection for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Copy

Check current firmware version against Citrix advisory

Check Version:

Copy

show version

Verify Fix Applied:

Copy

Verify firmware version matches or exceeds patched version from advisory

📡 Detection & Monitoring

Log Indicators:

• Memory allocation errors
• Process crashes
• Unusual authentication attempts

Network Indicators:

• Unexpected traffic patterns to VPN/AAA services
• Connection spikes

SIEM Query:

Copy

source="netscaler" AND (event_type="crash" OR memory_usage>threshold)

📊 Metadata

CVE ID: CVE-2025-6543

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-119

EPSS Score: 3.05% exploit probability (86.4th percentile)

CISA KEV: Actively Exploited added Jun 30, 2025

Published: June 25, 2025

Last Updated: October 24, 2025

🔗 References

• https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788 Vendor Advisory
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6543 US Government Resource

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6543, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)

CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)

CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)