cbcvebase.
CVE-2025-6543
published 2025-06-25

CVE-2025-6543: Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN…

PriorityP188critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-07-21
Exploited in the wild
EPSS
9.76%
94.9th percentile
Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

Affected

18 ranges
VendorProductVersion rangeFixed in
citrixcitrix_adm
citrixcitrix_hypervisor
citrixcitrix_virtual_apps_and_desktops
citrixendpoint_management
citrixnetscaler_adc
citrixnetscaler_application_delivery_controller>= 13.1 < 13.1-37.23613.1-37.236
citrixnetscaler_application_delivery_controller>= 13.1 < 13.1-59.1913.1-59.19
citrixnetscaler_application_delivery_controller>= 14.1 < 14.1-47.4614.1-47.46
citrixnetscaler_gateway
citrixnetscaler_gateway>= 13.1 < 13.1-59.1913.1-59.19
citrixnetscaler_gateway>= 14.1 < 14.1-47.4614.1-47.46
citrixxenserver
netscaleradc>= 13.1 < 59.1959.19
netscaleradc>= 13.1 FIPS and NDcPP < 37.23637.236
netscaleradc>= 14.1 < 47.4647.46
netscalergateway>= 13.1 < 59.1959.19
netscalergateway>= 13.1 FIPS and NDcPP < 37.23637.236
netscalergateway>= 14.1 < 47.4647.46

Detection & IOCsextracted from sources · hover to see the quote

path/cgi/GetAuthMethods
path/saml/login
cookieNSC_TASS
  • Monitor for HTTP requests to /cgi/GetAuthMethods — attackers are probing this endpoint to fingerprint authentication methods and determine if NetScaler is configured as a SAML IDP prior to exploitation.
  • Detect crafted SAMLRequest payloads to /saml/login that omit the AssertionConsumerServiceURL field; on vulnerable devices this triggers memory leakage returned Base64-encoded in the NSC_TASS cookie.
  • Detect HTTP requests to /wsfed/passive where the 'wctx' query string parameter is present but has no value and lacks the '=' symbol — this triggers the second memory overread variant.
  • Inspect NSC_TASS cookie values in responses from NetScaler for anomalously large or Base64-encoded memory content, which indicates successful memory leakage exploitation.
  • Hunt for atypical file creation dates, duplicate file names with different extensions, and absence of PHP files in expected folders as post-compromise indicators on NetScaler devices.
  • Use the NCSC-released GitHub script to scan NetScaler devices for unusual PHP and XHTML files and other IOCs associated with CVE-2025-6543 post-exploitation activity.
  • On patched NetScaler instances, requests to /saml/login that would trigger the vulnerability return the response: 'Parsing of presented Assertion failed; Please contact your administrator.' — absence of this response on older firmware indicates vulnerability.
  • ·CVE-2025-6543 only affects NetScaler ADC and NetScaler Gateway devices configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR as an AAA virtual server. Devices not in these configurations are not vulnerable.
  • ·NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are End-of-Life and remain vulnerable with no patches provided; upgrade to a supported release is required.
  • ·Exploitation was observed as a zero-day since at least early May 2025, approximately two months before Citrix published its bulletin on June 25, 2025, meaning patching alone is insufficient — compromise assessment is required.
  • ·Attackers actively removed traces of compromise after exploitation, making forensic detection harder; standard log review may be insufficient to confirm or rule out breach.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
cisa9.2CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.