Summary
CVE-2025-6543 is a critical memory overflow in Citrix NetScaler ADC and Gateway when configured as VPN, ICA Proxy, CVPN, RDP, or AAA servers. Exploitation can cause denial of service or remote code execution without authentication. Actively exploited since May 2025, allowing attackers to execute code, maintain persistence, and erase logs. Patched builds include ADC 14.1-47.46, 13.1-59.19, and 13.1-37.236 (FIPS/NDcPP); older versions like 12.1 and 13.0 require upgrading. Immediate patching and session termination are strongly recommended.
Urgent Actions Required
- Update NetScaler ADC and Gateway to 14.147.46, 13.159.19, or 13.137.236 (FIPS/NDcPP) immediately.
- Terminate all active VPN, ICA, CVPN, and RDP sessions after patching.
- Check devices for unusual or duplicate PHP/XHTML files and strange timestamps using the NCSC GitHub scan script.
- Migrate unsupported versions (12.1, 13.0) to supported builds.
Which Systems Are Vulnerable to CVE-2025-6543?
Technical Overview
- Vulnerability Type: Memory overflow leading to unintended control flow and Denial of Service (potential Remote Code Execution)
- Affected Software/Versions:
- NetScaler ADC 14.1 – all builds before 14.147.46
- NetScaler ADC 13.1 – all builds before 13.159.19
- NetScaler ADC 13.1FIPS / NDcPP – all builds before 13.137.236
- NetScaler ADC 12.1 and 13.0 – unsupported, no patch available
- CVSS Score: 9.8
- Exploitability Score: CVSS:3.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Patch Availability: Yes, available[1][2]
How Does the CVE-2025-6543 Exploit Work?
The attack typically follows these steps:
What Causes CVE-2025-6543?
Vulnerability Root Cause:
CVE-2025-6543 is a memory overflow in NetScaler ADC and Gateway when used as VPN, ICA Proxy, CVPN, RDP Proxy, or AAA servers. Crafted traffic can overflow memory, crash the device, or run malicious code without authentication.
How Can You Mitigate CVE‑2025‑6543?
If immediate patching is delayed or not possible:
- Isolate vulnerable NetScaler ADC and Gateway devices to reduce exposure.
- Check firewall and device logs for unusual activity or suspicious files.
- End all active sessions to block reuse of stolen session data.
- Limit external access until patches are applied.
- Run scans or forensic checks regularly to detect exploitation.
Which Assets and Systems Are at Risk?
Asset Types Affected:
- NetScaler ADC – Appliances running vulnerable builds of 13.1, 13.1-FIPS/NDcPP, and 14.1 versions.
- NetScaler Gateway – Appliances configured as VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or AAA virtual server.
Business-Critical Systems at Risk:
- VPN and remote access gateways – Can provide attackers entry into corporate networks.
- Application delivery infrastructure – Disruption or compromise can affect critical services.
- Authentication servers – Exploitation could allow session hijacking or persistent access.
Exposure Level:
- Internet-facing NetScaler devices – Most at risk due to remote exploitability without authentication.
- Internal deployments – Vulnerable if devices are accessible via intranet or hybrid cloud setups.
- End-of-life appliances (12.1, 13.0) – No patches available; require upgrade to supported versions.
Will Patching CVE‑2025‑6543 Cause Downtime?
Patch application impact: Low. Update NetScaler ADC/Gateway to 14.1‑47.46, 13.1‑59.19, or 13.1‑37.236 (FIPS/NDcPP); a reboot may be needed but downtime is minimal. Unsupported 12.1/13.0 require migration.
Mitigation (if immediate patching is not possible): Isolate devices, monitor for suspicious activity, and terminate active sessions; systems remain at risk until updated.
How Can You Detect CVE‑2025‑6543 Exploitation?
Exploitation Signatures:
Look for unexpected crashes, reboots, or service disruptions on NetScaler ADC or Gateway appliances configured as VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or AAA virtual server. Sudden device restarts or abnormal memory activity may indicate exploitation attempts.
Indicators of Compromise (IOCs/IOAs):
- Presence of unusual or crafted network traffic targeting NetScaler services.
- Suspicious access to appliance management interfaces without proper authorization.
- Signs of log tampering or missing event logs, indicating attackers cleaning traces.
Behavioral Indicators:
- Persistent service disruptions or instability on NetScaler appliances.
- Unauthorized execution of code or unexpected process behavior on devices.
Alerting Strategy:
- Priority: Critical
- Trigger alerts for abnormal network traffic to VPN or AAA endpoints.
- Monitor for unexpected device crashes, reboots, or signs of memory overflow exploitation.
- Investigate any sudden absence of logs or tampering with system records.
Remediation & Response
Patch/Upgrade Instructions:
- Citrix Advisory[1]
Mitigation Steps if No Patch:
- Limit exposure of NetScaler appliances by isolating management interfaces.
- Monitor for abnormal network traffic targeting VPN, ICA Proxy, CVPN, RDP Proxy, or AAA services.
- Scan appliances for unusual memory activity, crashes, or log tampering as potential exploitation indicators.
Rollback Plan:
- If an upgrade causes operational issues, revert to the last stable build and ensure monitoring is in place to detect memory overflow attempts.
- Document rollback steps, including appliance version, time, and responsible personnel.
Incident Response Considerations:
- Isolate affected appliances to prevent further exploitation.
- Collect forensic data from appliance logs and network monitoring for suspicious activity.
- Verify patched devices and terminate active sessions to remove potential persistence.
- Continue monitoring for anomalies to ensure no ongoing compromise.
Compliance & Governance Notes
Standards Impacted:
- ISO 27001: A.12.6.1 – Management of technical vulnerabilities.
- NIST 800-53: SI-2 – Flaw remediation.
- CISA/BOD 22-01 – Apply mitigations or discontinue vulnerable cloud services if unavailable.
Audit Trail Requirement:
- Log all critical NetScaler ADC and Gateway updates: date, time, engineer, version applied.
- Record network monitoring or scans detecting unusual memory activity or exploitation indicators.
- Maintain revision-controlled change logs for applied patches or appliance migrations
Policy Alignment:
- Update Vulnerability Management Policy to include routine scans for NetScaler ADC/Gateway firmware versions.
- Revise Incident Response Plan to include steps for “memory overflow/NetScaler exploitation” scenarios: detection → isolation → patching.
- Ensure active session termination procedures are included post-patch to reduce compromise risk.
Where Can I Find More Information on CVE‑2025‑6543?
CVSS Breakdown Table
| Metric | Value | Description |
|---|---|---|
| Base Score | 9.8 | Critical severity, indicating high impact and exploitability |
| Attack Vector | Network | Can be exploited remotely over the internet targeting NetScaler ADC or Gateway configured as VPN, ICA Proxy, CVPN, RDP Proxy, or AAA virtual server |
| Attack Complexity | Low | Exploit is straightforward; no special conditions required |
| Privileges Required | None | No authentication or elevated privileges needed |
| User Interaction | None | No user action is required for exploitation |
| Scope | UnChanged | Exploitation affects only the vulnerable NetScaler component |
| Confidentiality Impact | High | Successful exploit may allow attackers to execute code and access sensitive systems |
| Integrity Impact | High | Exploit can allow attackers to modify device behavior or control execution flow |
| Availability Impact | High | Exploit can cause denial of service or device crashes, impacting network availability |
