Full Report
The vendor disclosed the critical zero-day in NetScaler ADC and NetScaler Gateway nine days after it warned of a pair of defects in the same products. The post Citrix users hit by actively exploited zero-day vulnerability appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Critical Zero-Day Memory Overflow in Citrix NetScaler ADC and Gateway (CVE-2025-6543)
## CVE Details
- **CVE ID:** CVE-2025-6543
- **CVSS Score:** 9.2 (Critical)
- **CWE:** Memory Overflow defect (Potential arbitrary code execution depending on context)
## Affected Systems
- **Products:** NetScaler ADC and NetScaler Gateway
- **Versions:** Multiple versions (Specific versions not listed in the summary, but refer to vendor bulletin CTX694788)
- **Configurations:** Exploitation is confirmed possible only if targeted instances are configured as a **gateway** or an **Authentication, Authorization, and Accounting (AAA) virtual server**.
## Vulnerability Description
This is a critical zero-day vulnerability described by Citrix as a **memory overflow defect**. This type of flaw typically allows an attacker to achieve unintended control flow manipulation. While Citrix initially positioned the impact as Denial of Service (DoS), security researchers strongly believe the vulnerability class points toward the potential for **Remote Code Execution (RCE)**, suggesting that observed DoS conditions are likely the result of failed exploitation attempts.
## Exploitation
- **Status:** **Actively exploited in the wild**. Citrix explicitly warned that exploits have been observed on unmitigated appliances.
- **Complexity:** Implied to be relatively low given active exploitation, though required configuration (Gateway or AAA VC) adds a constraint.
- **Attack Vector:** Likely network-based, leveraging the appliance's network-facing role.
## Impact
- **Confidentiality:** Potential high (if RCE is achievable)
- **Integrity:** Potential high (if RCE is achievable)
- **Availability:** Confirmed potential for Denial of Service (DoS)
## Remediation
### Patches
- Specific patch versions are not listed in the source text, but users must consult the official Citrix security bulletin for immediate patching instructions.
- **Vendor Bulletin:** CTX694788
### Workarounds
- Ensure that targeted NetScaler instances are **not** configured as a gateway or an Authentication, Authorization, and Accounting (AAA) virtual server, as this is the prerequisite for exploitation. (This is a difficult workaround given the product's intended function.)
## Detection
- **Indicators of Compromise:** The article does not specify IoCs, but monitoring for unusual network traffic directed at AAA or Gateway interfaces, or system stability issues (crashes/DOS) on NetScaler devices should be prioritized.
- **Detection Methods and Tools:** Users should rely on vendor-provided guidance following the publication of security bulletin CTX694788 to implement specific signatures or behavioral detection rules.
## References
- **Vendor Advisories:**
- Security Bulletin for CVE-2025-6543: hxxps://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788
- Previous Bulletin (related issues): hxxps://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
- **Related CVEs Mentioned:** CVE-2025-5777 and CVE-2025-5349 (disclosed shortly before this zero-day).