What is Citrix NetScaler ADC and Gateway?
Citrix NetScaler ADC (Application Delivery Controller) and NetScaler Gateway are enterprise networking appliances widely deployed at organizational perimeters for load balancing, SSL offloading, and remote access VPN. NetScaler Gateway serves as the SSL VPN front door for internal applications — employees authenticate through the Gateway to reach internal resources from any network.
NetScaler appliances handle raw unauthenticated traffic at the internet edge, making pre-authentication vulnerabilities especially high impact. Citrix has faced a sustained wave of critical NetScaler vulnerabilities: CVE-2023-3519 (2023), CVE-2019-19781 (2019 "Shitrix"), and multiple flaws throughout 2025 including CVE-2025-6543 and the later CVE-2025-7775.
Overview
CVE-2025-6543 is a pre-authentication buffer overflow (CWE-119) in Citrix NetScaler ADC and Gateway. The vulnerability requires the appliance to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or AAA virtual server — a common deployment mode for any organization using NetScaler for remote access. CISA added the vulnerability to the KEV catalog just five days after the patch was released, citing confirmed active exploitation. Approximately 2,100+ unpatched appliances were identified at the time active exploitation was confirmed.
Affected Versions
| Branch | Vulnerable | Fixed |
|---|---|---|
| NetScaler ADC/Gateway 14.1 | < 14.1-47.46 | 14.1-47.46 |
| NetScaler ADC/Gateway 13.1 | < 13.1-59.19 | 13.1-59.19 |
| NetScaler ADC 13.1-FIPS/NDcPP | < 13.1-37.236 | 13.1-37.236 |
Configuration requirement: Only appliances configured as:
- Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy)
- AAA virtual server
Standard load-balancing-only deployments without Gateway/AAA configuration are not affected.
Technical Details
The vulnerability is a memory buffer overflow (CWE-119) in the NetScaler Gateway/AAA processing stack. Improper memory buffer handling in the request processing path allows a crafted unauthenticated HTTP or HTTPS request to cause memory corruption, leading to unintended control flow and potential denial of service or remote code execution.
The CVSS 4.0 vector for this vulnerability reflects higher attack complexity (AC:H) and a prerequisite target condition (AT:P) compared to the later CVE-2025-7775 — meaning exploitation required a specific configuration state or timing condition, not just a vulnerable firmware version. Despite this, the vulnerability was confirmed exploited in the wild within days of the patch release.
Key characteristics:
- Pre-authentication — no credentials or session token required
- Exploitable only in Gateway/AAA mode (not all NetScaler deployments)
- Led to DoS and potentially RCE depending on memory layout at the time of exploitation
- 15+ public PoC exploits on GitHub appeared shortly after disclosure
Discovery
Discovery was not publicly attributed in the Citrix advisory. Citrix released coordinated security updates covering CVE-2025-6543 alongside CVE-2025-5777 (a related but distinct flaw).
Exploitation Context
CISA added CVE-2025-6543 to the KEV catalog on June 30, 2025, just five days after the patch release, reflecting rapidly confirmed active exploitation. Approximately 2,100+ appliances remained unpatched when exploitation was first confirmed. No specific threat actor group was publicly attributed.
This vulnerability is one of a series of NetScaler flaws exploited in mid-2025, culminating in the zero-day CVE-2025-7775 in August. The pattern reflects sustained attacker interest in NetScaler Gateway appliances as high-value initial access points into enterprise networks.
Remediation
- Upgrade immediately to 14.1-47.46+, 13.1-59.19+, or 13.1-37.236-FIPS+. The CISA deadline was July 21, 2025; any unpatched appliances are overdue.
- Confirm your vserver configuration — only Gateway and AAA vserver modes are affected. Use
show lb vserverandshow vpn vservercommands to enumerate your configuration. - Check for indicators of compromise — review NetScaler logs for anomalous request patterns to the VPN virtual server from unexpected source IPs or with unusual HTTP headers.
- Apply subsequent patches — CVE-2025-7775 (August 2025) affects the same component; ensure your environment is current with all NetScaler advisories from mid-2025.
- Restrict internet access to the Gateway vserver IP addresses if your access model allows it — IP allowlisting dramatically reduces the attack surface for pre-auth network vulnerabilities.
- Monitor authentication logs post-patch for any webshell activity or anomalous administrative sessions that could indicate pre-patch compromise.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-6543 |
| Vendor / Product | Citrix — NetScaler ADC and Gateway |
| NVD Published | 2025-06-25 |
| NVD Last Modified | 2025-10-24 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-119 find similar ↗ |
| CISA KEV Added | 2025-06-30 |
| CISA KEV Deadline | 2025-07-21 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-06-25 | CVE published; Citrix releases patches 14.1-47.46, 13.1-59.19, 13.1-37.236-FIPS |
| 2025-06-30 | Added to CISA Known Exploited Vulnerabilities catalog; active exploitation confirmed |
| 2025-07-21 | CISA BOD 22-01 remediation deadline |
| 2025-08-26 | Citrix issues follow-on advisory for CVE-2025-7775 (related memory overflow in same component) |
References
| Resource | Type |
|---|---|
| Citrix Security Advisory CTX694788 | Vendor Advisory |
| NetScaler Critical Security Updates for CVE-2025-6543 and CVE-2025-5777 | Vendor Advisory |
| NVD — CVE-2025-6543 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| CISA Warns of Citrix NetScaler ADC and Gateway Active Exploitation | News |
| SecurityScorecard — CVE-2025-6543 Added to CISA KEV | Security Research |