CISA Adds Critical Citrix NetScaler Vulnerability to KEV Catalog

On June 30, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-6543, a critical buffer overflow vulnerability in Citrix NetScaler ADC and Gateway, to its Known Exploited Vulnerabilities (KEV) Catalog, citing evidence of active exploitation in the wild.

🔍 Vulnerability Overview

• CVE ID: CVE-2025-6543
• Vulnerability Type: Buffer Overflow
• Affected Products:
  • NetScaler ADC and Gateway appliances configured as:
    • VPN
    • ICA Proxy
    • Clientless VPN (CVPN)
    • RDP Proxy
    • AAA virtual server
• Impact:
  Successful exploitation may allow attackers to:
  • Trigger unintended control flow, leading to potential remote code execution (RCE)
  • Cause denial-of-service (DoS) by crashing or destabilizing the system
• Exploitation Status:
  • Actively exploited in the wild
  • No known workarounds
  • Affects Internet-facing NetScaler deployments, which are particularly at risk

🛡️ Official CISA Action

• Added to KEV Catalog: June 30, 2025
• Directive: Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are required to remediate the vulnerability by July 21, 2025.
• Private Sector Implication: Although BOD 22-01 is limited to federal systems, CISA strongly urges all organizations using NetScaler to immediately patch vulnerable systems.

⚠️ Affected Versions (per Citrix Advisory)

Note: CVE-2025-6543 was disclosed alongside CVE-2025-5777, another critical issue. Both require immediate attention.

🧩 Technical Context

• Buffer overflow flaws occur when software writes more data to a memory buffer than it can hold, potentially allowing:
  • Execution of arbitrary code
  • System crashes
  • Bypassing of security mechanisms
• In this case, improperly handled inputs in certain NetScaler services can be exploited remotely if the virtual server is accessible and improperly secured.

📌 Remediation Steps

1. Inventory all NetScaler ADC and Gateway deployments.
2. Check configuration: Identify whether they are acting as VPN/ICA Proxy/AAA/etc.
3. Review version numbers and immediately upgrade to the latest secure builds:
   • Patch downloads are available from NetScaler’s Security Bulletin
4. Inspect logs for unusual activity or exploit attempts.
5. Apply network segmentation to isolate exposed services, if patching is delayed.
6. Continue monitoring CISA’s KEV Catalog for future updates.

🧠 Analyst Notes

• This vulnerability is especially dangerous for enterprises that expose NetScaler services over the internet.
• Exploits may be leveraged by APT groups or ransomware actors to gain access to sensitive networks.
• The combination of buffer overflow and AAA proxying roles makes this a privileged attack surface.

📅 Important Dates

Event Date KEV Entry June 30, 2025 Federal Deadline July 21, 2025