NetScaler: Memory overflow leading to unintended control flow and Denial of Service in Citrix NetScaler ADC and Gateway (CVE-2025-6543) #shorts

Summary

In today’s episode we cover CVE-2025-6543, a critical memory overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway. This flaw is actively exploited in the wild and can cause a denial of service or unintended code paths. Citrix has released emergency patches—if you run NetScaler in any capacity, you need to act now.

Product details

The products affected are Citrix NetScaler ADC and NetScaler Gateway in the following versions: • ADC 14.1 versions less than 47.46 • ADC 13.1 versions less than 59.19 • ADC 13.1 FIPS and NDcPP versions less than 37.236 • Gateway 14.1 versions less than 47.46 • Gateway 13.1 versions less than 59.19 • Gateway 13.1 FIPS and NDcPP versions less than 37.236 These appliances commonly serve as VPN virtual servers, ICA proxies, CVPN, RDP proxies or AAA servers.

Vulnerability type summary

This issue is classified under CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer. In plain terms, a specially crafted request can overflow internal memory buffers, leading to unintended control flow or a crash of the service.

Details of the vulnerability

When NetScaler ADC or Gateway is configured as a VPN virtual server, ICA Proxy, CVPN, RDP Proxy or AAA server, an attacker can send maliciously crafted packets that exceed expected buffer boundaries. The overflow corrupts internal data structures, which can: 1. Divert execution flow—potentially leading to remote code execution in future variants. 2. Trigger a denial of service by crashing the Citrix service. Security teams have observed active exploitation targeting enterprise remote access infrastructure. Citrix responded by issuing out-of-cycle patches on June 25, 2025. If you are running any affected version, you should immediately apply the updates.

Conclusion

CVE-2025-6543 is a high-risk buffer overflow in a widely deployed remote access product. Because it’s under active attack, patching cannot wait. Review your NetScaler ADC and Gateway versions, schedule downtime if necessary, and install the Citrix security fixes without delay. Stay safe and stay tuned for more security updates.

Watch the full video on YouTube: CVE-2025-6543

Remediation and exploitation details

This chain involves the following actors

  • Malicious actor: Attacker exploiting a buffer overflow
  • System administrator: Defender responsible for patching and configuration

This following systems are involved

  • Citrix NetScaler ADC (Distribute and accelerate application traffic): Handles client connections, load balancing and security enforcement
  • Citrix NetScaler Gateway (Provide secure remote access): Acts as a gateway for virtual private network connections and proxy services

Attack entry point

  • VPN virtual server: Endpoint accepting remote access connections over virtual private network
  • ICA Proxy service: Endpoint tunneling application sessions through the gateway
  • AAA authentication service: Endpoint handling user login and authorization requests

Remediation actions

System administrator
Apply Citrix emergency patches
Citrix NetScaler ADC and Gateway
System administrator
Limit access to management interfaces
Citrix NetScaler ADC and Gateway
System administrator
Monitor logs for abnormal service restarts
Citrix NetScaler ADC and Gateway

Exploitation actions

Service enumeration

Malicious actor
Discover reachable gateway services
Citrix NetScaler Gateway
Examples:
  • Scan network for open gateway ports
  • Probe HTTP headers to identify software version

Reverse engineering

Malicious actor
Analyze packet handling code
Citrix NetScaler Gateway
Examples:
  • Extract firmware or binary from updates
  • Locate buffer size checks in authentication routines

Buffer overflow crafting

Malicious actor
Construct oversized request payload
VPN virtual server
Examples:
  • Create input that exceeds the expected buffer length
  • Embed specific pattern to overwrite adjacent memory

Network injection

Malicious actor
Transmit malformed packets
VPN virtual server
Examples:
  • Send UDP or TCP packets carrying the crafted payload
  • Space transmissions to evade simple rate limits

Buffer overflow execution

Malicious actor
Trigger memory corruption
VPN virtual server
Examples:
  • Overflow input buffer causing adjacent memory overwrite
  • Corrupt function return pointer or control data

Control flow manipulation

Malicious actor
Hijack control flow or crash process
Citrix NetScaler ADC
Examples:
  • Overwrite return address to redirect execution to attacker code
  • Cause unexpected termination to achieve Denial of Service

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-6543
Description
Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
Provider
Citrix
CWE / problem types
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Affected Software Versions
NetScaler:ADC:[{'lessThan': '47.46', 'status': 'affected', 'version': '14.1', 'versionType': 'patch'}, {'lessThan': '59.19', 'status': 'affected', 'version': '13.1', 'versionType': 'patch'}, {'lessThan': '37.236', 'status': 'affected', 'version': '13.1 FIPS and NDcPP', 'versionType': 'patch'}],NetScaler:Gateway:[{'lessThan': '47.46', 'status': 'affected', 'version': '14.1', 'versionType': 'patch'}, {'lessThan': '59.19', 'status': 'affected', 'version': '13.1', 'versionType': 'patch'}, {'lessThan': '37.236', 'status': 'affected', 'version': '13.1 FIPS and NDcPP', 'versionType': 'patch'}]
Date Published
2025-06-25T12:49:57.896Z
Last Updated
2025-06-30T22:20:23.170Z