On June 25, 2025, the Cloud Software Group alerted the public to a security vulnerability designated as CVE-2025-6543, which impacts both the NetScaler ADC and NetScaler Gateway. This concerning development has raised alarms within the cybersecurity community.
Describing CVE-2025-6543 as a "Memory overflow vulnerability leading to unintended control flow and Denial of Service," the vendor highlighted the severity of this issue with a CVSSv4 score of 9.2, indicating it is critical. "The vulnerability does not require authentication or user interaction, making it particularly dangerous,” said Stephen Fewer, a cybersecurity expert. The implications soar high for the target systems regarding Confidentiality, Integrity, and Availability, emphasizing that this vulnerability poses an unauthenticated remote code execution (RCE) risk.
"Memory overflow vulnerability leading to unintended control flow and Denial of Service,"
The gravity of this situation is heightened by the fact that exploitation has already been observed. The vendor's security bulletin confirmed that CVE-2025-6543 was exploited as a zero-day vulnerability by an unidentified threat actor before the advisory was even published. As it stands, no public exploit code is available, which leaves organizations on high alert.
To be vulnerable, the affected NetScaler instance must be configured as either a Gateway or a AAA virtual server, commonplace configurations that many organizations employ. This is akin to the configuration requirement seen in the vulnerable CVE-2023-4966, known as CitrixBleed, which saw extensive real-world exploitation.
In an update on June 26, 2025, the vendor released a blog post to clarify the specifics related to CVE-2025-6543 and its relationship to CVE-2025-5777, which was disclosed shortly before, and the earlier CVE-2023-4966. The blog confirmed that CVE-2025-6543 is the only one currently exploited in the wild, clarifying that it is not connected to the other vulnerabilities.
Further escalating the urgency, on June 30, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-6543 to its list of known exploited vulnerabilities (KEV), alerting businesses and organizations to the critical nature of this vulnerability.
In response to the identified risks, the vendor has rapidly provided patches for affected versions of NetScaler ADC and NetScaler Gateway. Users are strongly advised to update their systems as soon as possible:
- For NetScaler ADC and Gateway version 14.1, update to version 14.1-47.46 or higher. - For version 13.1, update to version 13.1-59.19 or higher. - Specifically for NetScaler ADC 13.1-FIPS, users must directly contact NetScaler support for the required update version. - Likewise, those on version 13.1-NDcPP 13.1-37.236 should reach out to customer support for necessary upgrades.
Unfortunately, the vendor has indicated that versions 12.1 and 13.0 of the NetScaler ADC and Gateway have reached their End of Life and will not receive patches. This leaves those users vulnerable to exploits and places them at significant risk.
The urgency surrounding CVE-2025-6543 necessitates that organizations take immediate action to protect their systems. Cybersecurity experts emphasize the importance for users to not only apply the necessary updates but also ensure that their configurations are secure in light of the potential threat posed by this vulnerability.