The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical vulnerability affecting Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability, identified as CVE-2025-6543, has been actively exploited in the wild, posing significant risks to organizations utilizing these appliances.
Understanding CVE-2025-6543
CVE-2025-6543 is a memory overflow vulnerability that can lead to unintended control flow and denial-of-service (DoS) conditions. The flaw specifically impacts NetScaler ADC and NetScaler Gateway appliances configured as a Gateway (e.g., VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as an authentication, authorization, and accounting (AAA) virtual server. Successful exploitation of this vulnerability allows unauthenticated attackers to disrupt services, potentially leading to significant operational downtime.
Affected Versions
The vulnerability affects the following versions of NetScaler ADC and NetScaler Gateway:
– NetScaler ADC and NetScaler Gateway 14.1 before version 14.1-47.46
– NetScaler ADC and NetScaler Gateway 13.1 before version 13.1-59.19
– NetScaler ADC 13.1-FIPS and NDcPP before version 13.1-37.236-FIPS and NDcPP
It’s important to note that versions 12.1 and 13.0 have reached their end-of-life and are also vulnerable. Organizations using these versions are strongly advised to upgrade to supported versions to mitigate the risk.
CISA’s Response and Recommendations
On June 30, 2025, CISA added CVE-2025-6543 to its KEV catalog, highlighting the active exploitation of this vulnerability. In accordance with Binding Operational Directive (BOD) 22-01, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies remediate this vulnerability by July 21, 2025, to protect their networks against active threats. While this directive specifically applies to FCEB agencies, CISA strongly urges all organizations to prioritize the timely remediation of vulnerabilities listed in the KEV catalog as part of their vulnerability management practices.
Citrix’s Response and Mitigation Measures
Citrix has acknowledged the active exploitation of CVE-2025-6543 and has released security updates to address the issue. The company recommends that customers using affected NetScaler ADC and NetScaler Gateway instances upgrade to the following versions:
– NetScaler ADC and NetScaler Gateway 14.1 should be updated to version 14.1-47.46 or later.
– NetScaler ADC and NetScaler Gateway 13.1 should be updated to version 13.1-59.19 or later.
– NetScaler ADC 13.1-FIPS and NDcPP should be updated to version 13.1-37.236-FIPS and NDcPP or later.
For customers using NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0, which have reached end-of-life, Citrix advises upgrading to the latest supported versions to ensure protection against this vulnerability.
Implications of the Vulnerability
The exploitation of CVE-2025-6543 can have severe consequences for organizations. By causing unintended control flow and DoS conditions, attackers can disrupt critical services, leading to operational downtime and potential financial losses. Moreover, the vulnerability’s presence in appliances configured as Gateways or AAA virtual servers means that remote access services, which are often essential for business operations, are particularly at risk.
Historical Context and Related Vulnerabilities
This is not the first time Citrix NetScaler products have been targeted. In January 2024, CISA added two other vulnerabilities—CVE-2023-6548 and CVE-2023-6549—to its KEV catalog. Both vulnerabilities were actively exploited zero-day flaws affecting NetScaler ADC and Gateway appliances. The recurrence of such critical vulnerabilities underscores the importance of maintaining up-to-date systems and implementing robust security measures.
Recommendations for Organizations
Organizations utilizing Citrix NetScaler ADC and Gateway appliances should take the following steps to mitigate the risks associated with CVE-2025-6543:
1. Immediate Patching: Apply the security updates provided by Citrix to the affected appliances without delay.
2. Upgrade End-of-Life Versions: If using versions 12.1 or 13.0, upgrade to the latest supported versions to ensure continued protection.
3. Review Configurations: Ensure that appliances are configured securely, especially if they are set up as Gateways or AAA virtual servers.
4. Monitor Systems: Implement continuous monitoring to detect any unusual activity that may indicate exploitation attempts.
5. Incident Response Planning: Develop and regularly update incident response plans to address potential security breaches promptly.
Conclusion
The addition of CVE-2025-6543 to CISA’s Known Exploited Vulnerabilities catalog serves as a critical reminder of the ever-present threats in the cybersecurity landscape. Organizations must remain vigilant, promptly apply security patches, and adhere to best practices to safeguard their systems against such vulnerabilities.
