CVE-2025-6543
published 2025-06-25CVE-2025-6543: Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN…
PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-07-21
Exploited in the wild
EPSS
9.76%
94.9th percentile
Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| citrix | citrix_adm | — | — |
| citrix | citrix_hypervisor | — | — |
| citrix | citrix_virtual_apps_and_desktops | — | — |
| citrix | endpoint_management | — | — |
| citrix | netscaler_adc | — | — |
| citrix | netscaler_application_delivery_controller | >= 13.1 < 13.1-37.236 | 13.1-37.236 |
| citrix | netscaler_application_delivery_controller | >= 13.1 < 13.1-59.19 | 13.1-59.19 |
| citrix | netscaler_application_delivery_controller | >= 14.1 < 14.1-47.46 | 14.1-47.46 |
| citrix | netscaler_gateway | — | — |
| citrix | netscaler_gateway | >= 13.1 < 13.1-59.19 | 13.1-59.19 |
| citrix | netscaler_gateway | >= 14.1 < 14.1-47.46 | 14.1-47.46 |
| citrix | xenserver | — | — |
| netscaler | adc | >= 13.1 < 59.19 | 59.19 |
| netscaler | adc | >= 13.1 FIPS and NDcPP < 37.236 | 37.236 |
| netscaler | adc | >= 14.1 < 47.46 | 47.46 |
| netscaler | gateway | >= 13.1 < 59.19 | 59.19 |
| netscaler | gateway | >= 13.1 FIPS and NDcPP < 37.236 | 37.236 |
| netscaler | gateway | >= 14.1 < 47.46 | 47.46 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP requests to /cgi/GetAuthMethods — attackers are probing this endpoint to fingerprint authentication methods and determine if NetScaler is configured as a SAML IDP prior to exploitation. ↗
- →Detect crafted SAMLRequest payloads to /saml/login that omit the AssertionConsumerServiceURL field; on vulnerable devices this triggers memory leakage returned Base64-encoded in the NSC_TASS cookie. ↗
- →Detect HTTP requests to /wsfed/passive where the 'wctx' query string parameter is present but has no value and lacks the '=' symbol — this triggers the second memory overread variant. ↗
- →Inspect NSC_TASS cookie values in responses from NetScaler for anomalously large or Base64-encoded memory content, which indicates successful memory leakage exploitation. ↗
- →Hunt for atypical file creation dates, duplicate file names with different extensions, and absence of PHP files in expected folders as post-compromise indicators on NetScaler devices. ↗
- →Use the NCSC-released GitHub script to scan NetScaler devices for unusual PHP and XHTML files and other IOCs associated with CVE-2025-6543 post-exploitation activity. ↗
- →On patched NetScaler instances, requests to /saml/login that would trigger the vulnerability return the response: 'Parsing of presented Assertion failed; Please contact your administrator.' — absence of this response on older firmware indicates vulnerability. ↗
- ·CVE-2025-6543 only affects NetScaler ADC and NetScaler Gateway devices configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR as an AAA virtual server. Devices not in these configurations are not vulnerable. ↗
- ·NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are End-of-Life and remain vulnerable with no patches provided; upgrade to a supported release is required. ↗
- ·Exploitation was observed as a zero-day since at least early May 2025, approximately two months before Citrix published its bulletin on June 25, 2025, meaning patching alone is insufficient — compromise assessment is required. ↗
- ·Attackers actively removed traces of compromise after exploitation, making forensic detection harder; standard log review may be insufficient to confirm or rule out breach. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
cisa·2025-06-30·CVSS 9.2
CVE-2025-6543 [CRITICAL] CWE-119 Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
Vulnerability: Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
Affected: Citrix NetScaler ADC and Gateway
Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788 ; https://www.netscaler.com/blog/news/netscaler-critical-security-updates-for-cve-2025-6543-and-cve-2025-5777/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-6543
R
Citrix
Citrix Security Bulletin CTX694788
vendor_citrix·CVSS 5.9
CVE-2025-12101 [MEDIUM] Citrix Security Bulletin CTX694788
Citrix Security Bulletin CTX694788
CVE References: CVE-2025-12101, CVE-2025-62626, CVE-2025-6543, CVE-2026-23554, CVE-2026-3055, CVE-2026-4368, CVE-2026-4397
Affected Products: Citrix ADM, Citrix Hypervisor, Citrix Virtual Apps and Desktops, Endpoint Management, NetScaler ADC, NetScaler Gateway, XenServer
GHSA
GHSA-9gqr-6728-fpv3: Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gatew
ghsa_unreviewed·2025-06-26
CVE-2025-6543 [CRITICAL] CWE-119 GHSA-9gqr-6728-fpv3: Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gatew
Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
VulnCheck
Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability
vulncheck·2025·CVSS 9.3
CVE-2025-5777 [CRITICAL] CWE-125 Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability
Citrix NetScaler ADC and Gateway Out-of-Bounds Read Vulnerability
Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation. This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
Affected: Citrix NetScaler ADC and NetScaler Gateway
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/; https://dashboard.shadowserver.org/statist
VulnCheck
Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
vulncheck·2025·CVSS 9.2
CVE-2025-6543 [CRITICAL] CWE-119 Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability
Citrix NetScaler ADC and Gateway contain a buffer overflow vulnerability leading to unintended control flow and Denial of Service. NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.
Affected: Citrix NetScaler ADC and NetScaler Gateway
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788; https://reliaquest.com/blog/threat-spotlight-citrix-bleed-2-vulnerability-in-netscaler-adc-gateway-devices/; https://www.cisa.gov/sites/default/fil
No detection rules found.
No public exploits indexed.
Hackernews
Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug
blogs_hackernews·2026-03-28·CVSS 9.4
CVE-2026-3055 [CRITICAL] Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug
A recently disclosed critical security flaw impacting Citrix NetScaler ADC and NetScaler Gateway is witnessing active reconnaissance activity, according to Defused Cyber and watchTowr .
The vulnerability, CVE-2026-3055 (CVSS score: 9.3), refers to a case of insufficient input validation leading to memory overread, which an attacker could exploit to leak potentially sensitive information.
Per Citrix, successful exploitation of the flaw hinges on the appliance being configured as a SAML Identity Provider (SAML IDP).
"We are now observing aut
Hackernews
Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks
blogs_hackernews·2026-03-24·CVSS 9.3
[CRITICAL] Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks
Citrix has released security updates to address two vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical flaw that could be exploited to leak sensitive data from the application.
The vulnerabilities are listed below -
CVE-2026-3055 (CVSS score: 9.3) - Insufficient input validation leading to memory overread
CVE-2026-4368 (CVSS score: 7.7) - Race condition leading to user session mixup
Cybersecurity company Rapid7 said that CVE-2026-3055 refers to an out-of-bounds read that could be exploited by unauthenticated remote
Tenable
CVE-2025-7775 Citrix RCE Zero-day
blogs_tenable·2025-08-26·CVSS 9.2
[CRITICAL] CVE-2025-7775 Citrix RCE Zero-day
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
What happened in Vegas (that you actually want to know about)
blogs_talos·2025-08-14
What happened in Vegas (that you actually want to know about)
## What happened in Vegas (that you actually want to know about)
Welcome to this week’s edition of the Threat Source newsletter.
Last week I flew 5,000 miles to Las Vegas for Black Hat USA. After navigating the casino carpet labyrinth and finding the only venue in Nevada that serves a proper English breakfast tea with milk (lifesaver), I’ve decided Black Hat feels exactly like trying to run in a dream — you’re always heading somewhere, never quickly, and the water costs $8.
I don’t mean to complain (although, as a Brit, I’m practically obligated to file a formal grievance about the weather, tea or queue length). In truth, it was a brilliant week, and I got to watch my fellow Talosians deliver some outstanding presentations and research.
Rather than recap everything we did (our YouTube
Talos
What happened in Vegas (that you actually want to know about)
blogs_talos·2025-08-14
What happened in Vegas (that you actually want to know about)
Welcome to this week’s edition of the Threat Source newsletter.
Last week I flew 5,000 miles to Las Vegas for Black Hat USA. After navigating the casino carpet labyrinth and finding the only venue in Nevada that serves a proper English breakfast tea with milk (lifesaver), I’ve decided Black Hat feels exactly like trying to run in a dream — you’re always heading somewhere, never quickly, and the water costs $8.
I don’t mean to complain (although, as a Brit, I’m practically obligated to file a formal grievance about the weather, tea or queue length). In truth, it was a brilliant week, and I got to watch my fellow Talosians deliver some outstanding presentations and research.
Rather than recap everything we did (our YouTube channel will have plenty of research highlights soon), here are th
Bleepingcomputer
Over 3,000 NetScaler devices left unpatched against CitrixBleed 2 bug
blogs_bleepingcomputer·2025-08-12·CVSS 9.3
CVE-2025-5777 [CRITICAL] Over 3,000 NetScaler devices left unpatched against CitrixBleed 2 bug
## Over 3,000 NetScaler devices left unpatched against CitrixBleed 2 bug
## Sergiu Gatlan
Over 3,300 Citrix NetScaler devices remain unpatched against a critical vulnerability that allows attackers to bypass authentication by hijacking user sessions, nearly two months after patches were released.
Tracked as CVE-2025-5777 and referred to as CitrixBleed 2 , this out-of-bounds memory read vulnerability results from insufficient input validation, enabling unauthenticated attackers to access restricted memory regions remotely on devices configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
Successfully exploiting this security flaw could enable threat actors to steal session tokens, credentials, and other sensitive data from public-facing gateways a
Bleepingcomputer
Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs
blogs_bleepingcomputer·2025-08-11·CVSS 9.2
CVE-2025-6543 [CRITICAL] Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs
## Netherlands: Citrix Netscaler flaw CVE-2025-6543 exploited to breach orgs
## Bill Toulas
The Netherlands' National Cyber Security Centre (NCSC) is warning that a critical Citrix NetScaler vulnerability tracked as CVE-2025-6543 was exploited to breach "critical organizations" in the country.
The critical flaw is a memory overflow bug that allows unintended control flow or a denial of service state on impacted devices.
"Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server," explains Citrix's advisory .
Citrix issued a bulletin about the flaw on June 25, 2025, warning that the following versions were vulnerable to on
Tenable
Cybersecurity Snapshot: AI Security Tools Embraced by Cyber Teams, Survey Finds, as Vulnerability Research Gets a Boost from UK Cyber Agency
blogs_tenable·2025-07-18
Cybersecurity Snapshot: AI Security Tools Embraced by Cyber Teams, Survey Finds, as Vulnerability Research Gets a Boost from UK Cyber Agency
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Wiz
Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know | Wiz Blog
blogs_wiz·2025-07-06·CVSS 9.4
CVE-2025-5777 [CRITICAL] Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know | Wiz Blog
On June 17th, 2025, two critical vulnerabilities - CVE-2025-5349 and CVE-2025-5777 - were disclosed in Citrix Netscaler ADC and Netscaler Gateway, enabling unauthorized access to sensitive resources and memory overreads in specific configurations. Due to certain similarities between CVE-2025-5777 and CVE-2023-4966 (AKA “CitrixBleed”), in some publications this vulnerability has been nicknamed “CitrixBleed 2”.
On June 25, 2025, a third critical RCE vulnerability - CVE-2025-6543 - was also disclosed. This flaw affects the same products as above, with the vendor noting that it has been exploited in the wild as a 0-day. Customers are strongly advised to update to the latest fixed versions to mitigate these risks.
# What are the vulnerabilities?
### CVE-2025-5777: Memory Overread via Crafted
Wiz
Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know | Wiz Blog
blogs_wiz·2025-07-06·CVSS 9.4
CVE-2025-5349 [CRITICAL] Critical vulnerabilities in NetScaler ADC exploited in-the-wild: everything you need to know | Wiz Blog
On June 17th, 2025, two critical vulnerabilities - CVE-2025-5349 and CVE-2025-5777 - were disclosed in Citrix Netscaler ADC and Netscaler Gateway, enabling unauthorized access to sensitive resources and memory overreads in specific configurations. Due to certain similarities between CVE-2025-5777 and CVE-2023-4966 (AKA “CitrixBleed”), in some publications this vulnerability has been nicknamed “CitrixBleed 2”.
On June 25, 2025, a third critical RCE vulnerability - CVE-2025-6543 - was also disclosed. This flaw affects the same products as above, with the vendor noting that it has been exploited in the wild as a 0-day. Customers are strongly advised to update to the latest fixed versions to mitigate these risks.
## What are the vulnerabilities?
## CVE-2025-5349: Improper Access Control on
Tenable
CVE-2025-5777, CVE-2025-6543: Frequently Asked Questions About CitrixBleed 2 and Citrix NetScaler Exploitation
blogs_tenable·2025-06-27·CVSS 9.3
[CRITICAL] CVE-2025-5777, CVE-2025-6543: Frequently Asked Questions About CitrixBleed 2 and Citrix NetScaler Exploitation
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Citrix warns of NetScaler vulnerability exploited in DoS attacks
blogs_bleepingcomputer·2025-06-25·CVSS 9.3
CVE-2025-6543 [CRITICAL] Citrix warns of NetScaler vulnerability exploited in DoS attacks
## Citrix warns of NetScaler vulnerability exploited in DoS attacks
## Lawrence Abrams
Citrix is warning that a vulnerability in NetScaler appliances tracked as CVE-2025-6543 is being actively exploited in the wild, causing devices to enter a denial of service condition.
"Exploits of CVE-2025-6543 on unmitigated appliances have been observed," warns Citrix's advisory.
Tracked internally as CTX694788 , CVE-2025-6543 is a critical flaw impacting NetScaler ADC and NetScaler Gateway and can be triggered by unauthenticated, remote requests, leading the appliance to go offline.
The flaw impacts NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-47.46, 13.1 before 13.1-59.19, and NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP.
It only affects NetScaler device
2025-06-25
Published
2025-06-30
Added to CISA KEV
Exploited in the wild