A critical vulnerability in Citrix NetScaler ADC and Gateway, tracked as CVE-2025-6543, is being actively exploited in the wild, impacting critical sectors in the Netherlands. This memory overflow flaw, which carries a CVSS score of 9.8, allows attackers to manipulate control flow and potentially cause a Denial of Service (DoS) when the devices are configured as a Gateway or AAA virtual server. The vulnerability was publicly disclosed on June 25, 2025, and within just 4.5 days, attackers began exploiting it.
The Dutch National Cyber Security Centre (NCSC) has confirmed that this vulnerability is being leveraged in attacks against critical infrastructure, highlighting the urgency for organizations using Citrix NetScaler devices to apply patches immediately. The flaw is listed in the Known Exploited Vulnerabilities (KEV) catalog, underscoring its severity and the need for swift remediation.
Citrix released emergency patches on the same day the vulnerability was disclosed, aiming to mitigate the risk posed by this critical flaw. Despite the availability of patches, the exploitation in the wild indicates that many organizations have yet to update their systems, leaving them vulnerable to potential breaches.
The vulnerability, identified as CWE-119, involves a memory overflow that can lead to unintended control flow. This type of vulnerability is particularly dangerous as it can be exploited to execute arbitrary code or disrupt services, making it a prime target for attackers seeking to compromise network security.
Proof-of-concept (PoC) exploits for CVE-2025-6543 are already circulating, with at least three known versions available. This availability of PoC exploits significantly lowers the barrier for attackers, enabling even less sophisticated threat actors to launch attacks against unpatched systems.
Organizations using Citrix NetScaler ADC and Gateway are advised to prioritize patching to protect against potential exploitation. The SSVC (Stakeholder-Specific Vulnerability Categorization) for this vulnerability is marked as "act," indicating that immediate action is necessary to mitigate the threat.
Security teams should verify that their systems are updated with the latest patches and monitor for any signs of exploitation. Given the rapid exploitation timeline and the critical nature of the sectors affected, proactive measures are essential to safeguard against potential breaches.
CSURFACE