Updated 15:32 BST with updated exposure number and map

Citrix says a critical vulnerability, CVE-2025-6543, in its NetScaler ADC and NetScaler Gateway products is under active attack in the wild. 

Citrix disclosed memory overflow bug CVE-2025-6543 publicly on June 25, warning users “exploits… on unmitigated appliances have been observed.”

The critical Netscaler bug has a critical CVSS 4.0 rating of 9.3 which suggests it is remotely exploitable by an unauthenticated attacker. 

The Netscaler vulnerability can be exploited when the appliances are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server – there may be some 8,000 instances exposed.

Credit: Netlas.io

Netscaler Gateway is often deployed at the perimeter of organizations’ internal networks/intranets to provide a “secure” single point of access to the servers, applications, and network resources in the internal network.

Citrix did not provide a credit for the vulnerability disclosure. 

It affects:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-47.46
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-59.19
  • NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP
  • End-of-life NetScaler ADC and Gateway versions 12.1 and 13.0 (NetScaler ADC 12.1-FIPS is not affected) 

Critical Netscaler vulnerability

Potentially confusingly, this is not another critical Netscaler vulnerability reported this week and allocated CVE-2025-5777 that security experts warned has the potential to be the next “Citrix Bleed”. See more here.

Citrix did not publicly disclose how widespread exploitation is nor did it publicly share any indicators of compromise or threat detection rules. 

The Stack

We keep all of our security reporting free for public interest reasons. Our deeper dive interviews including with leading global CISOs and CIOs is for paying subscribers, to whom we also offer bullsh*t-free workshops and events. We reinvest all subscription revenues in editorial and welcome your support.

Join the community

Netscaler vulnerability exploitation is meaningfully bad news: In 2023 in separate incidents it resulted in ransomware attacks on “big game” victims like Boeing and Chinese bank ICBC via abuse of Citrix Bleed (CVE-2023-4966.)

Another critical Netscaler vulnerability that year (CVE-2023-3519) was used to attack critical national infrastructure (CNI) in the US and triggered “13 separate nationally significant incidents” in 2023 that required the intervention of the UK’s National Cyber Security Centre, according to the agency’s annual report. 

Users should terminate all active ICA and PCoIP sessions after upgrading. As Mandiant's Charles Carmakal noted on LinkedIn: "Many organizations did not terminate sessions when remediating [Citrix Bleed] in 2023. In those cases, session secrets were stolen before companies patched, and the sessions were hijacked after the patch. Many of those compromises resulted in nation-state espionage or ransomware deployment."

Know more about ongoing exploitation of CVE-2025-6543 or who disclosed this? Drop an email or Signal @Targett.11 off-the-record. 

The link has been copied!