Citrix has urgently released security updates to address a critical memory overflow vulnerability, CVE-2025-6543, affecting NetScaler ADC and NetScaler Gateway. With a CVSS score of 9.2, this flaw is actively exploited in the wild, making immediate patching essential to prevent potential denial-of-service (DoS) attacks. This vulnerability poses a significant risk, particularly for appliances configured as a Gateway or AAA virtual server.

Root Cause

The vulnerability stems from a memory overflow issue within NetScaler ADC and NetScaler Gateway. According to Citrix, this memory overflow can lead to unintended control flow, ultimately resulting in a denial-of-service condition. This is due to improper operation restriction within the bounds of a memory buffer (CWE-119). Successful exploitation requires the targeted NetScaler instances to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server, configurations commonly found in many organizations.

Affected Products

The vulnerability impacts the following versions of NetScaler ADC and NetScaler Gateway:

• NetScaler ADC and NetScaler Gateway 14.1 before 14.1-47.46
• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-59.19
• NetScaler ADC and NetScaler Gateway 12.1 and 13.0 (vulnerable and end-of-life)
• NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP

According to the vendor, the vulnerabilities also affect Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances.

Impact & Exploit Potential

Successful exploitation of CVE-2025-6543 can lead to a denial-of-service condition, causing the affected NetScaler ADC or Gateway appliance to go offline. Exploits of CVE-2025-6543 on unmitigated appliances have been confirmed, underscoring the urgency for administrators to apply the necessary patches. The vulnerability can be triggered by unauthenticated remote requests, amplifying the risk.

Cybersecurity experts have referred to recent NetScaler vulnerabilities, including CVE-2025-6543, as “Citrix Bleed 2,” drawing parallels to the widely exploited Citrix Bleed vulnerability from 2023. Ransomware gangs and nation-state actors leveraged the earlier vulnerability to infiltrate numerous government organizations and major companies.

Mitigation & Recommendations

The primary mitigation strategy is to upgrade NetScaler instances to the following patched versions immediately:

• NetScaler ADC and NetScaler Gateway 14.1-47.46
• NetScaler ADC and NetScaler Gateway 13.1-59.19
• NetScaler ADC 13.1-FIPS and NDcPP 13.1-37.236-FIPS and NDcPP

Citrix urges customers to upgrade their NetScaler instances to these recommended builds to address the vulnerabilities. In addition to patching, organizations should closely monitor their NetScaler instances for unusual user sessions and abnormal behavior.

As a further precaution, it is recommended that all active sessions after patching be terminated by using the commands “kill icaconnection -all” and “kill pcoipConnection -all.” This is due to the possibility of stolen session tokens before the patch was applied. It is also noted that many organizations failed to terminate sessions after patching CitrixBleed in 2023, leading to further compromises.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.