Overview
On June 25, 2025, Cloud Software Group published a security bulletin for CVE-2025-6543, a new vulnerability affecting NetScaler ADC and NetScaler Gateway.
The vendor has described CVE-2025-6543 as a “Memory overflow vulnerability leading to unintended control flow and Denial of Service”. While this is vague, the vendor supplied CVSSv4 score is marked as 9.2 (Critical), and reveals that neither privileges nor user interaction are required by an attacker to exploit the vulnerability. The resulting impact against a target system is set as High for all three vulnerable system impact metrics; Confidentiality, Integrity, and Availability. Therefore the CVSS score, and the description of “unintended control flow” are a strong indication that this vulnerability is an unauthenticated remote code execution (RCE) issue.
The vendor has indicated in the initial publication of their security bulletin that exploitation of CVE-2025-6543 has been observed. This means CVE-2025-6543 was exploited as a zero day, by a currently unknown threat actor, prior to the publication of the vendor advisory. There is no known public exploit code available at this time.
In order for CVE-2025-6543 to be exploitable, a vulnerable NetScaler instance must be configured as either a Gateway or a AAA virtual server. This configuration prerequisite is common, and is the same prerequisite for the 2023 vulnerability CVE-2023-4966 (aka CitrixBleed), that saw broad exploitation in the wild at that time.
On June 26, 2025, the vendor published a blog to clarify details concerning the recently disclosed and exploited CVE-2025-6543, the NetScaler vulnerability CVE 2025-5777 which was disclosed on June 17, 2025, and the 2023 vulnerability CVE-2023-4966. This blog confirms that only CVE-2025-6543 has been observed as exploited in the wild, and that CVE-2025-6543 is not related to either CVE 2025-5777 or CVE-2023-4966.
On June 30, 2025, CVE-2025-6543 was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV).
Mitigation guidance
The vendor has provided patches for the following versions under support. Customers of affected NetScaler ADC and NetScaler Gateway instances are advised to update to the vendor supplied patches on an urgent basis.
NetScaler ADC and NetScaler Gateway 14.1 should be updated to version 14.1-47.46 or above
NetScaler ADC and NetScaler Gateway 13.1 should be updated to version 13.1-59.19 or above
NetScaler ADC 13.1-FIPS should be updated to a later version of 13.1-FIPS. Customers of this product must directly contact NetScaler support to request the appropriate version.
NetScaler ADC 13.1-NDcPP 13.1-37.236 should be updated to a later version of 13.1-NDcPP. Customers of this product must directly contact NetScaler support to request the appropriate version.
The vendor has indicated that NetScaler ADC and NetScaler Gateway 12.1 and 13.0 have reached their End of Life (EOL), and as such are no longer under support and will not receive a patch. The EOL versions of the product have been confirmed by the vendor as being vulnerable. Customers running EOL products are urged to update to the latest version of a supported product.
For the latest mitigation guidance, please refer to the vendor advisory.
Rapid7 customers
InsightVM and Nexpose customers can assess exposure to CVE-2025-6543 with an authenticated check available since the June 25, 2025 content release.
Updates
June 30, 2025: Added reference to the CISA KEV list.