CISA Warns of Citrix NetScaler ADC and Gateway Vulnerability Actively Exploited in Attacks

CISA has issued an urgent warning regarding a critical buffer overflow vulnerability in Citrix NetScaler ADC and Gateway products, designated as CVE-2025-6543. 

Added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on June 30, 2025, threat actors are actively exploiting this high-severity flaw and pose significant risks to organizations utilizing these network infrastructure components. 

The vulnerability enables attackers to achieve unintended control flow manipulation and execute Denial-of-Service (DoS) attacks against affected systems, prompting immediate action from federal agencies and private sector organizations.

Citrix NetScaler Buffer Overflow Vulnerability

CVE-2025-6543 represents a buffer overflow vulnerability classified under the Common Weakness Enumeration (CWE) 119, which encompasses the improper restriction of operations within memory buffer boundaries. 

This technical classification indicates that the vulnerability stems from insufficient input validation mechanisms within the NetScaler codebase, allowing attackers to write data beyond allocated memory boundaries. 

The exploitation of this flaw can result in arbitrary code execution and system compromise, making it particularly dangerous for internet-facing network appliances.

The vulnerability specifically affects Citrix NetScaler ADC (Application Delivery Controller) and Gateway products when configured in specific operational modes. 

These enterprise-grade network devices serve as critical infrastructure components, handling load balancing, SSL offloading, and secure remote access functionalities for organizations worldwide. 

The buffer overflow condition occurs during packet processing routines, where malformed network traffic can trigger memory corruption, leading to system instability or complete compromise.

The vulnerability’s exploitation requires specific NetScaler configurations to be present, limiting its attack surface but still affecting a substantial number of deployments. 

Affected systems must be configured as Gateway services, including VPN virtual servers, ICA Proxy implementations, CVPN (Cloud VPN) services, or RDP Proxy configurations. 

Additionally, systems configured with AAA (Authentication, Authorization, and Accounting) virtual servers are susceptible to this vulnerability.

Organizations utilizing NetScaler devices in these configurations face immediate risks of service disruption, unauthorized access, and potential lateral movement within their network infrastructure. 

While CISA’s current assessment indicates the vulnerability’s use in ransomware campaigns remains unknown, the active exploitation status suggests sophisticated threat actors are leveraging this flaw for malicious purposes.

Mitigation

CISA has established a mandatory compliance deadline of July 21, 2025, requiring federal agencies to implement vendor-provided mitigations or discontinue use of vulnerable products. 

This directive follows Binding Operational Directive (BOD) 22-01 guidelines, which mandate federal agencies to address known exploited vulnerabilities within specified timeframes.

Organizations must immediately apply security updates released by Citrix and follow guidance to protect against ongoing threats. 

For cloud service implementations, additional BOD 22-01 cloud service guidance applies, requiring enhanced monitoring and incident response capabilities.

The urgent nature of this vulnerability underscores the critical importance of maintaining current patch levels for network infrastructure components and implementing robust vulnerability management programs across enterprise environments.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now