Citrix Users Hit by Actively Exploited Zero-Day Vulnerability
Summary
On June 25th, 2025, Citrix disclosed a critical zero-day vulnerability (CVE-2025-6543) in its widely deployed NetScaler ADC and NetScaler Gateway appliances. The 9.2 CVSS base score-rated zero-day is being exploited at the time of disclosure and impacts systems configured as gateways or AAA (authentication, authorization, and accounting) virtual servers. The disclosure is just nine days since Citrix published security bulletins for two other vulnerabilities (CVE-2025-5777 and CVE-2025-5349) within the same product family.
CVE-2025-6543 is described by Citrix as a memory overflow vulnerability that might be exploited to cause unforeseen control flow and denial-of-service conditions. However, independent security researchers — such as the watchTowr CEO — have refuted this description, stating the vulnerability is probably a remote code execution exploit and that observed denial-of-service traffic may be indicative of failed attempts at exploitation rather than the intended attack goal.
The scheduling and presentation of the vulnerability have been criticized by the security community, especially in light of earlier Citrix vulnerabilities like CitrixBleed (CVE-2023-4966), which was exploited en masse, (CyberScoop, 2025)."
Impact:
Attack Vector:
Authentication:
Analyst Comments:
In the words of Ben Harris (CEO, watchTowr), the vulnerability should be enabling code execution, not denial-of-service as suggested by CVSS scores and the vulnerability class. The short window from this zero-day disclosure to the previous advisories for CVE-2025-5777 and CVE-2025-5349 has compared to past Citrix vulnerabilities hacked in bulk. Analysts have observed that Citrix has not yet provided detailed information about when the vulnerability was first identified or whether it may be related to the other recently disclosed issues, prompting some calls for greater clarity around the disclosure timeline.
Suggested Corrections:
https://cyberscoop.com/citrix-zero-day-netscaler/
On June 25th, 2025, Citrix disclosed a critical zero-day vulnerability (CVE-2025-6543) in its widely deployed NetScaler ADC and NetScaler Gateway appliances. The 9.2 CVSS base score-rated zero-day is being exploited at the time of disclosure and impacts systems configured as gateways or AAA (authentication, authorization, and accounting) virtual servers. The disclosure is just nine days since Citrix published security bulletins for two other vulnerabilities (CVE-2025-5777 and CVE-2025-5349) within the same product family.
CVE-2025-6543 is described by Citrix as a memory overflow vulnerability that might be exploited to cause unforeseen control flow and denial-of-service conditions. However, independent security researchers — such as the watchTowr CEO — have refuted this description, stating the vulnerability is probably a remote code execution exploit and that observed denial-of-service traffic may be indicative of failed attempts at exploitation rather than the intended attack goal.
The scheduling and presentation of the vulnerability have been criticized by the security community, especially in light of earlier Citrix vulnerabilities like CitrixBleed (CVE-2023-4966), which was exploited en masse, (CyberScoop, 2025)."
Impact:
- High potential for remote code execution
- Denial-of-service condition as a possible side effect of failed exploitation
- Targets sensitive network edge appliances used for secure remote access
- Likely to be leveraged in targeted attacks, given historical precedent and current activity
Attack Vector:
- Remote exploitation over the network
- Only exploitable when the NetScaler instance is configured as a Gateway or AAA virtual server
Authentication:
- Not required
- Unauthenticated attackers can exploit vulnerable configurations remotely if appliances are exposed and unpatched
Analyst Comments:
In the words of Ben Harris (CEO, watchTowr), the vulnerability should be enabling code execution, not denial-of-service as suggested by CVSS scores and the vulnerability class. The short window from this zero-day disclosure to the previous advisories for CVE-2025-5777 and CVE-2025-5349 has compared to past Citrix vulnerabilities hacked in bulk. Analysts have observed that Citrix has not yet provided detailed information about when the vulnerability was first identified or whether it may be related to the other recently disclosed issues, prompting some calls for greater clarity around the disclosure timeline.
Suggested Corrections:
- Apply patches immediately: Citrix has issued security updates; all affected systems should be patched without delay.
- Review configurations: Verify if any NetScaler ADC or Gateway instances are configured as gateways or AAA virtual servers — these are the only configurations confirmed as exploitable.
- Limit exposure: Ensure NetScaler appliances are not unnecessarily exposed to the internet.
- Monitor for anomalies: Enable enhanced logging and traffic monitoring to detect signs of attempted or successful exploitation.
- Follow Citrix advisories: Monitor ongoing updates from Citrix for any clarifications, additional patches, or revised guidance.
https://cyberscoop.com/citrix-zero-day-netscaler/