Full Report
The vendor disclosed the critical zero-day in NetScaler ADC and NetScaler Gateway nine days after it warned of a pair of defects in the same products. The post Citrix users hit by actively exploited zero-day vulnerability appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Actively Exploited Memory Overflow in NetScaler ADC/Gateway (CVE-2025-6543)
## CVE Details
- CVE ID: CVE-2025-6543
- CVSS Score: 9.2 (Critical)
- CWE: Memory Overflow defect (Implies potential for Code Execution, though vendor suggests DoS)
## Affected Systems
- Products: NetScaler ADC and NetScaler Gateway
- Versions: Multiple unspecified versions disclosed by Citrix.
- Configurations: Exploitation is specific to instances configured as a **Gateway** or an **Authentication, Authorization, and Accounting (AAA) virtual server**.
## Vulnerability Description
This is a critical zero-day vulnerability described by Citrix as a **memory overflow defect**. Attackers can exploit this flaw to gain **unintended control flow** and potentially cause a **denial of service (DoS)**. However, security researchers suggest that the CVSS metrics typically associated with this class of vulnerability imply a higher impact, such as **remote code execution (RCE)**, and that observed DoS conditions may result from failed exploitation attempts.
## Exploitation
- Status: **Actively exploited in the wild**. Citrix confirmed that "Exploits of CVE-2025-6543 on unmitigated appliances have been observed."
- Complexity: Not explicitly stated, but active exploitation of a zero-day suggests reachable complexity (likely Low/Medium).
- Attack Vector: Network (implied by the nature of gateway/VPN appliance exploitation).
## Impact
- Confidentiality: High (Implied, given potential for RCE suggested by analyst).
- Integrity: High (Implied, given potential for RCE suggested by analyst).
- Availability: High (Confirmed DoS potential, either intended or as a byproduct of exploitation).
## Remediation
### Patches
- **No specific patch versions listed in the source article.** Users must consult the official Citrix security bulletin (CTX694788) for immediate updates.
### Workarounds
- The article does not explicitly list third-party workarounds, but the mitigation is necessary for instances configured as a Gateway or AAA virtual server. Users should implement vendor guidance immediately.
## Detection
- **Indicators of Compromise (IoCs):** Not detailed in the source. Organizations should monitor network traffic and system logs for signs of unusual activity targeted at NetScaler components, particularly those acting as Gateways or AAA servers.
- **Detection Methods:** Reviewing logs for authentication attempts or traffic patterns consistent with known active exploitation campaigns targeting Citrix/NetScaler appliances.
## References
- Vendor Advisory (Zero-day): hxxps://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788
- Previous Defects Advisory: hxxps://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
- Related Information (CVE-2025-5777): hxxps://nvd.nist.gov/vuln/detail/CVE-2025-5777
- Related Information (CVE-2025-5349): hxxps://nvd.nist.gov/vuln/detail/CVE-2025-5349
- Past Vulnerability Context (CitrixBleed): hxxps://nvd.nist.gov/vuln/detail/cve-2023-4966