CVE-2025-6543: Critical Citrix NetScaler Memory Overflow Vulnerability

By
July 4, 2025
CVE-2025-6543: Critical Citrix NetScaler Memory Overflow Vulnerability

Citrix NetScaler is affected by a critical memory overflow vulnerability, CVE-2025-6543, with a CVSS score of 9.2. Discovered through security research, this flaw impacts NetScaler when configured as a Gateway or AAA server. Improper memory handling allows attackers to trigger buffer overflows, potentially causing system crashes, remote code execution (RCE), or unauthorized access to sensitive systems. This vulnerability is actively exploited in the wild, with exploits observed causing denial-of-service (DoS) conditions, making immediate patching critical for all affected systems.

This vulnerability is part of a broader pattern of memory-related flaws affecting NetScaler systems. A similar critical memory vulnerability, CVE-2025-5777, also affects NetScaler deployments, highlighting the importance of comprehensive vulnerability management for these critical infrastructure components.

Vulnerability Details

CVE ID: CVE-2025-6543
CVSS Score: 9.2 (Critical)
CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
Type: Memory overflow/buffer overflow (CWE-119)
Reported: June 25, 2025
Affected Versions: NetScaler ADC and Gateway 14.1 before 14.1-47.46, 13.1 before 13.1-59.19, and 13.1-FIPS/NDcPP before 13.1-37.236. EOL versions (12.1, 13.0) are also vulnerable—upgrade to a supported release. Check https://support.citrix.com for updates.

The Problem

The vulnerability stems from improper bounds checking in NetScaler’s packet processing engine when handling requests to Gateway or AAA virtual server endpoints. Attackers can send specially crafted packets (e.g., via HTTPS or proprietary protocols) that exceed allocated memory buffers, causing overflows. This can corrupt adjacent memory, leading to system crashes or, in sophisticated attacks, manipulation of program execution flow, potentially enabling remote code execution (RCE). For example, an attacker could exploit this by sending oversized authentication payloads to an AAA server, triggering the overflow.

What’s Affected

This vulnerability affects NetScaler ADC and Gateway systems configured as:

  • Gateway (VPN virtual server, including SSL VPN)
  • ICA Proxy
  • Clientless VPN (CVPN)
  • RDP Proxy
  • AAA virtual server

Affected Versions:

  • NetScaler ADC and Gateway 14.1 before 14.1-47.46
  • NetScaler ADC and Gateway 13.1 before 13.1-59.19
  • NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236
  • EOL versions (12.1, 13.0) are also vulnerable and require upgrading to a supported release

Fixed Versions:

  • NetScaler ADC and Gateway 14.1-47.46
  • NetScaler ADC and Gateway 13.1-59.19
  • NetScaler ADC 13.1-FIPS and NDcPP 13.1-37.236

Unaffected Systems:

NetScaler instances without Gateway or AAA configurations are not vulnerable.

Verification:

Admins can verify configurations using show ns config or the NetScaler GUI to confirm Gateway/AAA settings. Systems integrated with Citrix Endpoint Management or using SSL VPN may have heightened exposure.

Why This Matters

CVE-2025-6543 is a critical threat due to its remote exploitability, lack of authentication requirements, and active exploitation in the wild, making internet-facing NetScaler systems prime targets. Exploitation has been observed causing DoS conditions, with potential for RCE. As a key gateway for remote access and application delivery, a compromised NetScaler could disrupt virtual desktops, cloud services, or internal networks, amplifying the attack’s impact.

No authentication needed – Attackers don’t need to log in or have any credentials
Network accessible – Can be exploited remotely over the internet
High impact – Can disrupt services, potentially compromise system integrity, and expose confidential data
Complex but feasible – While attack complexity is high, skilled attackers can exploit it

For businesses, this means:

  • Service outages affecting remote workers and customers
  • Data breaches exposing sensitive information
  • Loss of gateway protection, enabling lateral movement
  • Violations of compliance frameworks like GDPR, HIPAA, PCI-DSS, or NIST 800-53

Recent trends in VPN-targeted attacks (e.g., ransomware campaigns) underscore the urgency of addressing this flaw. Understanding these risks early is crucial for effective security planning. Organizations can benefit from comprehensive vulnerability intelligence services like those offered by iZOOlogic to stay ahead of emerging threats and maintain robust security postures.

How It Works

A memory overflow occurs when NetScaler writes data beyond the allocated buffer, corrupting adjacent memory. Think of it like overfilling a cup – the extra liquid spills over and can damage nearby objects.

In normal operation:

  • NetScaler processes Gateway or AAA requests within safe memory bounds
  • It handles authentication and responds appropriately

With this vulnerability:

  • A malicious payload (like an oversized HTTP POST request or crafted authentication packet) exceeds these bounds
  • This overflow can overwrite critical structures like the stack or function pointers
  • The corruption can crash the system or redirect program execution to attacker-controlled code

Exploitation requires precise knowledge of NetScaler’s memory layout, making it complex but feasible for skilled attackers.

What You Should Do Right Now

  1. Apply Patches (Urgent) – Install available patches immediately: 14.1-47.46, 13.1-59.19, or 13.1-37.236 (FIPS/NDcPP). See CTX694788
  2. Identify Affected Systems (Urgent) – Inventory all NetScaler deployments and confirm Gateway or AAA configurations using show ns config or the GUI
  3. Restrict Access (High Priority) – Limit network access to trusted IP ranges via firewall rules or NetScaler Access Control Lists (ACLs)
  4. Enhance Monitoring (Ongoing) – Use tools like Splunk or Wireshark to detect exploitation attempts and unusual traffic. Enable verbose logging on NetScaler
  5. Audit Configurations (Proactive) – Disable unnecessary Gateway or AAA features to reduce attack surface

Temporary Protection

Patches are available and should be applied immediately as the primary mitigation. As additional layers of defense, or if patching is delayed:

Network Controls (High Impact, Easy) – Restrict access to NetScaler Gateway/AAA endpoints to trusted IP ranges using firewall rules or NetScaler ACLs
Web Application Firewall (High Impact, Moderate Effort) – Deploy WAF rules to filter oversized or malformed requests (e.g., block HTTP headers > 8KB)
Rate Limiting (Moderate Impact, Easy) – Enable rate limiting on NetScaler to block excessive requests from a single source
Intrusion Detection (Moderate Impact, Complex) – Use IDS tools like Snort or Suricata to detect anomalous traffic patterns
Additional Authentication (Low Impact, Complex) – If feasible, add multi-factor authentication (MFA) to Gateway endpoints

*Important: These are supplementary measures. Apply Citrix patches immediately as the primary defense.

What to Watch For

Signs that someone might be exploiting this vulnerability (active exploitation has been observed):

  • NetScaler systems crashing unexpectedly or experiencing DoS conditions
  • Spikes in memory usage (use NetScaler GUI or stat system memory)
  • Unusual traffic patterns, such as repeated large HTTP POST requests or malformed packets (use Wireshark or ELK Stack)
  • Suspicious authentication failures in AAA logs
  • Anomalous outbound connections from NetScaler, indicating potential C2 activity
  • Evidence of exploitation attempts targeting Gateway or AAA endpoints

Keep detailed logs of:

  • All system crashes and restarts
  • Memory usage patterns (enable verbose logging: set audit syslogparams -logLevel ALL)
  • Network connections to NetScaler
  • Authentication attempts and failures
  • Any unusual system behavior

Proactive Steps: Use SIEM tools like Splunk or ELK Stack for real-time analysis. Conduct threat hunting to identify exploitation attempts, focusing on oversized or malformed requests to Gateway/AAA endpoints. Given active exploitation, prioritize immediate detection and response capabilities.

Timeline

  • June 25, 2025: Vulnerability discovered and assigned CVE-2025-6543
  • June 25–27, 2025: Citrix released patches (14.1-47.46, 13.1-59.19, 13.1-37.236)
  • June 26, 2025: Active exploitation confirmed in the wild
  • Current: Actively exploited; apply patches immediately

Recommendations

Based on our analysis, here’s what we suggest:

  1. Apply Patches (Urgent) – Install available patches immediately: 14.1-47.46, 13.1-59.19, or 13.1-37.236 (FIPS/NDcPP). See CTX694788
  2. Inventory Systems (Urgent) – Use tools like Nessus or manual checks (show ns config) to identify NetScaler Gateway/AAA deployments
  3. Enhance Monitoring (High Priority) – Deploy Splunk or ELK Stack to monitor NetScaler logs for signs of exploitation (e.g., crash events, oversized requests)
  4. Implement Additional Controls (Ongoing) – Apply firewall ACLs and WAF rules to filter malicious traffic as supplementary protection
  5. Harden Configurations (Proactive) – Disable unused virtual servers and enable secure defaults
  6. Stay Informed (Ongoing) – Subscribe to Citrix’s security RSS feed and monitor iZOOlogic vulnerability service for updates

Final Note

CVE-2025-6543 is a critical, actively exploited memory overflow flaw in Citrix NetScaler Gateway and AAA servers with a CVSS score of 9.2. Patches are available and should be applied immediately (versions 14.1-47.46, 13.1-59.19, or 13.1-37.236), supplemented by additional security controls as needed.

This incident highlights the importance of proactive security monitoring and having emergency response procedures ready for critical infrastructure components, especially given the active exploitation observed in the wild.

References

About the author