234/68 Friday, June 27, 2025
Citrix has released a security update addressing a critical vulnerability (CVE-2025-6543) in its NetScaler ADC product, which carries a CVSS severity score of 9.2. The flaw is categorized as a memory overflow, which may lead to unintended code execution and potentially enable Denial-of-Service (DoS) attacks. The vulnerability affects systems configured to operate as a Gateway or AAA Virtual Server, such as VPN Virtual Server, ICA Proxy, CVPN, or RDP Proxy.
Affected versions include:
- NetScaler ADC and NetScaler Gateway 14.1 versions below 14.1-47.46
- NetScaler ADC and NetScaler Gateway 13.1 versions below 13.1-59.19
- NetScaler ADC and Gateway versions 12.1 and 13.0 (end-of-life)
- NetScaler ADC 13.1-FIPS and NDcPP versions below 13.1-37.236-FIPS and NDcPP
Citrix also confirmed that its Secure Private Access solutions—both on-premises and hybrid deployments utilizing NetScaler—are affected. The company strongly urges users to immediately update to the fixed versions to mitigate potential risk. While no technical details of the exploitation have been disclosed, Citrix confirmed that active exploitation has been observed in the wild targeting unpatched systems.
This advisory follows shortly after Citrix released a patch for another critical flaw, CVE-2025-5777 (CVSS 9.3), which also enables attackers to take control of NetScaler ADC devices. Organizations are advised to prioritize updates to prevent further compromise.
Source https://thehackernews.com/2025/06/citrix-releases-emergency-patches-for.html
