CVE-2025-6543 affecting Citrix Netscaler products

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

11:30am, 27 June 2025

TLP Rating: Clear

CVE-2025-6543 affecting Citrix Netscaler products

CVE-2025-6543 (CVSS 9.2): A memory overflow defect that attackers could exploit for unintended control flow and denial of service. This vulnerability affects NetScaler products configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

The NCSC is aware of open-source reporting of active exploitation of this vulnerability.

What's happening

Systems affected

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

  • NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.46
  • NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.19
  • NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.236-FIPS and NDcPP
  • NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 (end-of-life) 
      
    Note: These are different versions to those previously listed in our advisory on CVE-2025-5777 and CVE-2025-5349.

What this means

Organisations who utilise affected NetScaler ADC and NetScaler Gateway versions could be vulnerable to the listed vulnerability.

What to look for

How to tell if you're at risk

If you are running a NetScaler ADC and NetScaler Gateway instance within the listed versions.

What to do

Prevention

Update to the latest version of NetScaler ADC and NetScaler Gateway.

More information

Vendor Advisory

CITRIX | Support External Link

If you require more information or further support, submit a report on our website.

Report an incident to CERT NZ External Link

For media enquiries, email our media desk at media@ncsc.govt.nz.