Hackers have been exploiting a critical-severity vulnerability in NetScaler ADC and NetScaler Gateway, technology giant Citrix warned on Wednesday, when it released patches for the flaw.
Affecting both supported and discontinued versions of the application delivery and networking security platform and tracked as CVE-2025-6543 (CVSS score of 9.2), the bug is described as a memory overflow issue.
Successful exploitation of the security defect could lead to unintended control flow and denial-of-service (DoS), Citrix notes in its advisory.
The tech giant says only NetScaler deployments configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an authentication, authorization, and accounting (AAA) virtual server are affected.
“Exploits of CVE-2025-6543 on unmitigated appliances have been observed,” Citrix says, without detailing the observed attacks.
Patches for the zero-day were included in NetScaler ADC and NetScaler Gateway versions 14.1-47.46 and 13.1-59.19, and in NetScaler ADC versions 13.1-FIPS and 13.1-NDcPP 13.1-37.236.
Citrix warns that NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0, which have been discontinued, are affected as well, urging customers to migrate to a supported, patched iteration.
“Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. Customers need to upgrade these NetScaler instances to the recommended NetScaler builds to address the vulnerabilities,” the company says.
The zero-day came to light one week after Citrix patched another critical-severity NetScaler vulnerability, namely CVE-2025-5777 (CVSS score of 9.3).
Described as an out-of-bounds memory read caused by insufficient input validation, last week’s flaw has been compared to CitrixBleed, a defect that provided access to device memory and session tokens, allowing attackers to bypass multi-factor authentication.
While there have been no reports of CVE-2025-5777’s exploitation, security researcher Kevin Beaumont suggests that attackers may soon target it.
Calling the bug CitrixBleed2, Beaumont urges organizations to immediately identify exposed NetScaler instances, apply the patches, and terminate all active sessions, as per Citrix’s recommendations.
Related: Citrix Warns of Password Spraying Attacks Targeting NetScaler Appliances
Related: Exploitation Attempts Target Citrix Session Recording Vulnerabilities
Related: Citrix, Fortinet Patch High-Severity Vulnerabilities
Related: Citrix, Cisco, Fortinet Zero-Days Among 2023’s Most Exploited Vulnerabilities
