CVE-2025-6543
Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability - [Actively Exploited]
Description
Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
INFO
Published Date :
June 25, 2025, 1:15 p.m.
Last Modified :
July 1, 2025, 6:19 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788 ; https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-6543
Affected Products
The following products are affected by CVE-2025-6543
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 4.0 | CRITICAL | [email protected] |
Solution
- Update NetScaler ADC and NetScaler Gateway.
- Apply the relevant security patches.
Public PoC/Exploit Available at Github
CVE-2025-6543 has a 12 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-6543.
| URL | Resource |
|---|---|
| https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788 | Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-6543 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-6543
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Shell
None
Shell
None
Python
Multi-host, multi-port scanner and auditor for CVE-2025-6543-affected NetScaler devices. Supports SNMP and SSH enumeration with optional CSV reporting and exploit stubs.
Python
详细讲解CitrixBleed 2 — CVE-2025-5777(越界泄漏)PoC 和检测套件
Python
Citrix Bleed 2 PoC
Python
Script para determinar si Citrix es vulnerable al CVE-2025-6543
Python
None
HTML Python Shell
CISA Bot is a GitHub bot that automatically monitors the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. When new vulnerabilities are published in the KEV, the bot creates GitHub issues in this repository with detailed information about each vulnerability.
Python
None
Technical notes, AD pentest methodology, list of tools, scripts and Windows commands that I find useful during internal penetration tests and assumed breach exercises (red teaming)
PowerShell C#
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-6543 vulnerability anywhere in the article.
-
security.nl
NCSC-script kan ook misbruik van nieuwe Citrix-lekken detecteren
Het Nationaal Cyber Security Centrum (NCSC) heeft een eerder gepubliceerd script aangepast zodat organisaties webshells op hun Citrix-systemen kunnen detecteren die daar via nieuwe kwetsbaarheden op z ... Read more
-
Daily CyberSecurity
URGENT: NetScaler Zero-Day CVE-2025-7775 Under Active Attack
The Cloud Software Group (CSG) has released urgent security updates to address three high-severity vulnerabilities affecting NetScaler ADC and NetScaler Gateway appliances. The flaws, tracked as CVE-2 ... Read more
-
Help Net Security
NetScaler ADC/Gateway zero-day exploited by attackers (CVE-2025-7775)
Three new vulnerabilities affecting (Citrix) NetScaler application delivery controller (ADC) and Gateway devices have been made public, one of which (CVE-2025-7775) has been targeted in zero-day attac ... Read more
-
BleepingComputer
Over 800 N-able servers left unpatched against critical flaws
Over 800 N-able N-central servers remain unpatched against a pair of critical security vulnerabilities tagged as actively exploited last week. N-central is a popular platform used by many managed serv ... Read more
-
Help Net Security
Week in review: 2 threat actors exploiting WinRAR 0-day, Microsoft fixes “BadSuccessor” Kerberos flaw
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: WinRAR zero-day was exploited by two threat actors (CVE-2025-8088) The RomCom attackers aren’t the onl ... Read more
-
BleepingComputer
Plex warns users to patch security vulnerability immediately
Plex has notified some of its users on Thursday to urgently update their media servers due to a recently patched security vulnerability. The company has yet to assign a CVE-ID to track the flaw and di ... Read more
-
The Cyber Express
CISA Warns of Active Exploits in N-able N-central, Urges Upgrade to 2025.3.1
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two high-risk vulnerabilities in N-able N-central to its Known Exploited Vulnerabilities (KEV) catalog, warning organizations ... Read more
-
The Cyber Express
Fortinet Issues Emergency Patch for Actively Exploited Critical FortiSIEM Bug
Fortinet has urgently notified users of a critical OS command injection vulnerability in its FortiSIEM platform, identified as CVE-2025-25256, which is now being actively exploited in the wild. Accord ... Read more
-
BleepingComputer
Pennsylvania attorney general's email, site down after cyberattack
The Office of the Pennsylvania Attorney General has announced that a recent cyberattack has taken down its systems, including landline phone lines and email accounts. As Attorney General Dave Sunday r ... Read more
-
security.nl
NCSC publiceert scripts voor controleren van Citrix-systemen
Het Nationaal Cyber Security Centrum (NCSC) heeft vandaag op GitHub twee scripts gepubliceerd waarmee organisaties zelf kunnen controleren of hun Citrix-systemen zijn gecompromitteerd. Afgelopen maand ... Read more
-
The Cyber Express
Microsoft Teams CVE-2025-53783 Vulnerability Could Allow Remote Code Execution
Microsoft has disclosed a serious vulnerability in its collaboration platform, Microsoft Teams, that could open the door to Remote Code Execution (RCE) attacks. The flaw, tracked as CVE-2025-53783, ca ... Read more
-
The Cyber Express
Adobe Patch Tuesday Fixes Over 60 Vulnerabilities Across 13 Products
Adobe has issued a new set of security patches addressing more than 60 vulnerabilities across 13 of its widely used software products. This update, part of the company’s routine Adobe Patch Tuesday cy ... Read more
-
CybersecurityNews
17,000+ VMware ESXi Servers Vulnerable to Critical Integer-Overflow Vulnerability
More than 17,000 VMware ESXi installations worldwide are at risk from a severe integer-overflow vulnerability tracked as CVE-2025-41236 (CVSS 9.3), cybersecurity researchers warn. This critical vulner ... Read more
-
CybersecurityNews
Critical Zoom Clients for Windows Vulnerability Lets Attackers Escalate Privileges
Zoom has disclosed a critical vulnerability affecting multiple Windows-based clients, potentially allowing attackers to escalate privileges and compromise user systems. Designated as CVE-2025-49457 un ... Read more
-
CybersecurityNews
Ivanti Connect Secure, Policy Secure and ZTA Vulnerabilities Let Attackers Trigger DoS Attack
Ivanti has released critical security updates addressing multiple high and medium-severity vulnerabilities across its Connect Secure, Policy Secure, and Zero Trust Access (ZTA) gateway products. The v ... Read more
-
CybersecurityNews
7000+ Citrix NetScaler Devices Still Vulnerable to CVE-2025-5777 and CVE-2025-6543
Over 7,000 Citrix NetScaler appliances remain unpatched against two critical vulnerabilities: CVE-2025-5777 and CVE-2025-6543. Despite multiple advisories from Citrix, CISA’s KEV catalog entries, and ... Read more
-
Help Net Security
Netscaler vulnerability was exploited as zero-day for nearly two months (CVE-2025-6543)
FortiGuard Labs has reported a dramatic spike in exploitation attempts targeting Citrix Bleed 2, a critical buffer over‑read flaw (CVE‑2025‑5777) affecting Citrix NetScaler ADC (Application Delivery C ... Read more
-
BleepingComputer
Over 3,000 NetScaler devices left unpatched against CitrixBleed 2 bug
Over 3,300 Citrix NetScaler devices remain unpatched against a critical vulnerability that allows attackers to bypass authentication by hijacking user sessions, nearly two months after patches were re ... Read more
-
The Cyber Express
APT-Style Attacks Exploit CVE-2025-6543 in Dutch Critical Organizations
The Dutch National Cyber Security Centre (NCSC) has confirmed that a serious vulnerability in Citrix NetScaler systems, identified as CVE-2025-6543, has been exploited in targeted attacks against mult ... Read more
-
The Hacker News
Dutch NCSC Confirms Active Exploitation of Citrix NetScaler CVE-2025-6543 in Critical Sectors
Aug 12, 2025Ravie LakshmananVulnerability / Threat Intelligence The Dutch National Cyber Security Centre (NCSC-NL) has warned of cyber attacks exploiting a recently disclosed critical security flaw ... Read more
The following table lists the changes that have been made to the
CVE-2025-6543 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Jul. 01, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:* versions from (including) 13.1 up to (excluding) 13.1-59.19 *cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:* versions from (including) 13.1 up to (excluding) 13.1-37.236 *cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:* versions from (including) 14.1 up to (excluding) 14.1-47.46 *cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:ndcpp:*:*:* versions from (including) 13.1 up to (excluding) 13.1-37.236 Added CPE Configuration OR *cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:* versions from (including) 13.1 up to (excluding) 13.1-59.19 *cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:* versions from (including) 14.1 up to (excluding) 14.1-47.46 Added Reference Type Citrix Systems, Inc.: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788 Types: Vendor Advisory -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Jul. 01, 2025
Action Type Old Value New Value Added Date Added 2025-06-30 Added Due Date 2025-07-21 Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Added Vulnerability Name Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability -
New CVE Received by [email protected]
Jun. 25, 2025
Action Type Old Value New Value Added Description Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server Added CVSS V4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-119 Added Reference https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788