External risk intelligence

NetScaler Gateway and ADC Vulnerability Exposes Systems to Denial of Service

CVE advisoryKnown Exploit

CVE-2025-6543

A memory overflow vulnerability affects NetScaler ADC and Gateway. This can lead to unintended control flow and denial of service, impacting operations and potentially business risk.

5Halo Surface Signal

Memory Corruption

Citrix Netscaler Application Delivery Controller

13.1 to before 13.1-37.23613.1 to before 13.1-59.1914.1 to before 14.1-47.46

External exposure likelihood

Halo Surface Signal score for CVE-2025-6543

The vulnerability affects NetScaler ADC and Gateway appliances configured as VPN, ICA, CVPN, RDP, or AAA virtual servers. These components are specifically designed to operate as internet-facing gateways, remote access portals, and authentication endpoints, making them public-facing by design in normal deployment patterns.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

Citrix NetScaler Application Delivery Controller and NetScaler Gateway contain a memory overflow vulnerability. This flaw can lead to unintended control flow, potentially impacting system operations. The vulnerability affects specific configurations when the product is acting as a Gateway or AAA virtual server.

  • Affected NetScaler ADC and Gateway.
  • Memory overflow allows unintended control flow.
  • Potential for Denial of Service.

Attack Path

How an attacker could exploit the issue

This vulnerability allows an unauthenticated attacker to cause a denial of service or gain unintended control. The attacker can exploit this by sending specially crafted requests to an affected NetScaler instance. This can disrupt services and potentially lead to a loss of system availability.

  • Exposure: External network access.
  • Attacker access: No authentication required.
  • Trigger: Specially crafted network request.
  • Result: Denial of service or control flow impact.

Live Threat

Current exploitation, exposure, and threat context

A memory overflow vulnerability in NetScaler ADC and NetScaler Gateway presents a significant risk. Attackers can exploit this to disrupt services or potentially gain unauthorized control. The vulnerability affects specific configurations, including those acting as Gateway or AAA virtual servers. Organizations using these vulnerable configurations should consider this a high-priority issue.

  • Likely attacker skill level: Moderate.
  • Required access or conditions: Network access, specific configurations.
  • Business risk or urgency: High; service disruption.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows for unintended control flow and denial of service within NetScaler ADC and NetScaler Gateway when configured for specific gateway or AAA virtual server functions. Affected organizations face a business risk of disrupted services and potential unauthorized access. The impact could extend to systems, data, and employee productivity if the denial of service or control flow is exploited.

  • Find affected NetScaler assets.
  • Reduce exposure or isolate risk.
  • Apply vendor fix, verify, and monitor.

Frequently asked questions

What is NetScaler ADC and NetScaler Gateway and what do they do?

NetScaler ADC (Application Delivery Controller) and NetScaler Gateway are Citrix products used to manage and secure network traffic for applications and user access. They help ensure applications are available, perform well, and are accessible securely, especially for remote users.

What kind of vulnerability is CVE-2025-6543 and what weakness does it relate to?

CVE-2025-6543 is a memory overflow vulnerability, classified under CWE-119. This weakness allows an attacker to overwrite memory, potentially leading to unexpected program behavior, control flow hijacking, or system crashes, resulting in a Denial of Service.

How can CVE-2025-6543 be triggered and what is the scope of its impact?

This vulnerability is triggered by specially crafted network requests sent to an affected NetScaler instance. The impact can lead to unintended control flow or a denial of service, affecting system availability and potentially granting unauthorized control, with external network access required and no authentication needed.

What is the relevance of CVE-2025-6543 to NetScaler appliances and their configurations?

CVE-2025-6543 is highly relevant to NetScaler ADC and NetScaler Gateway appliances when they are configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The Halo Surface Signal indicates it's very likely to be exploited due to the internet-facing nature of these configurations.

What practical steps should be taken in response to CVE-2025-6543?

Organizations should identify affected NetScaler assets, reduce exposure or isolate the risk, apply vendor fixes when available, verify the implementation, and continuously monitor the systems. This addresses the business risk of disrupted services and potential unauthorized access.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified