Citrix has released security patches to fix a critical vulnerability affecting NetScaler ADC, which the company confirmed has been actively exploited.
The flaw, identified as CVE-2025-6543, has a CVSS severity score of 9.2 out of 10.
This issue is described as a memory overflow vulnerability that could lead to unintended control flow and denial of service. For an attacker to successfully exploit it, the appliance must be set up as a Gateway, such as a VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or an AAA virtual server.
The vulnerability affects the following versions:
- NetScaler ADC and NetScaler Gateway 14.1 versions before 14.1-47.46
- NetScaler ADC and NetScaler Gateway 13.1 versions before 13.1-59.19
- NetScaler ADC and NetScaler Gateway 12.1 and 13.0 (which are both vulnerable and no longer supported)
- NetScaler ADC 13.1-FIPS and NDcPP versions before 13.1-37.236-FIPS and NDcPP
Citrix also noted that Secure Private Access on-premises or hybrid deployments using affected NetScaler instances are impacted. Customers are advised to update their NetScaler devices to the recommended versions to protect against the vulnerability.
Although Citrix has not provided specific details about how attackers are exploiting the flaw, it confirmed that unpatched systems have already been targeted.
This announcement follows another recent patch from Citrix for a separate critical vulnerability in NetScaler ADC, identified as CVE-2025-5777, which had a slightly higher CVSS score of 9.3 and could also be used by attackers to gain access to vulnerable systems.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
