Over the past two weeks, Cloud Software Group has released builds to address CVE-2025-6543 and CVE 2025-5777, which affect NetScaler ADC and NetScaler Gateway if they are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR an Authentication Authorization and Auditing (“AAA”) virtual server. While both of the vulnerabilities involve the same modules, the exposures differ. CVE 2025-6543, if exploited, could lead to a memory overflow vulnerability, resulting in unintended control flow and Denial of Service. CVE 2025-5777 arises from insufficient input validation that leads to memory overread.
Some commentators have drawn comparisons between CVE 2025-5777 and CVE 2023-4966. While the vulnerabilities share some characteristics, Cloud Software Group has found no evidence to indicate that they are related.
The description of the vulnerability on the NIST website for CVE-2025-5777 initially erroneously identified NetScaler Management Interface as implicated in the vulnerability, but NIST subsequently updated the description to exclude it. The most accurate description of CVE 2025-5777 can be found in the Citrix security bulletin published on June 17, 2025.
Through our internal review process and by collaborating with customers, we identified the affected NetScaler ADC and NetScaler Gateway builds. CVE 2025-5777 only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates. Please refer to the security bulletin for more details.
Citrix has signed CISA’s Secure by Design pledge, reinforcing our commitment to building security into every stage of the product lifecycle. As part of this pledge, we prioritize security by default, transparency, and accountability in how we manage vulnerabilities. Our Product Security Incident Response Team (PSIRT) follows industry standards to assess, address, and disclose vulnerabilities responsibly. We work closely with security researchers, government agencies and customers to ensure timely fixes and clear communication. Learn more about our responsible disclosure process at Citrix Vulnerability Response.
Recommended Next Steps
For users operating affected NetScaler ADC builds configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server, immediate installation of the recommended builds is critically advised due to identified vulnerabilities. There are no available mitigations. Furthermore, we acknowledge active exploitation of CVE-2025-6543 and are providing limited technical details, known as Indicators of Compromise (IoC), to assist customers in assessing potential compromise. Currently, there is no evidence to suggest exploitation of CVE-2025-5777.
Indicators of Compromise
While Cloud Software Group does not offer forensic services to customers, we are committed to transparency in responsibly sharing information that can help customers identify any anomalies in their NetScaler products as part of their analysis. Customers with concerns who require access to the Indicators of Compromise (IoCs) known to date are encouraged to contact the Citrix Customer Support team. Please be aware that the information shared will be limited to our analysis of reported cases to date.
NetScaler is part of the Citrix business unit and shares the same licensing and ticketing systems. If you encounter issues when updating your affected builds or need access to IoCs, please contact Citrix Customer Support,
Steps to Take if You Suspect Your NetScaler ADC Has Been Compromised
If you suspect that your NetScaler ADC or NetScaler Gateway has been compromised, follow the steps present in our NetScaler recovery article to secure your environment and enable effective investigation
FAQs
As a NetScaler customer, what should I do now?
Exploits of CVE 2025-6543 on unpatched appliances have been observed. If you are using the affected builds of NetScaler ADC and NetScaler Gateway, we strongly urge you to install the updated builds as soon as possible. Please see the security bulletin for details.
Why did Cloud Software Group not reach out directly to me in advance?
To uphold the highest level of protection for all our valued customers, Cloud Software Group issues security bulletins concurrently to both subscribers and the broader public. This approach aligns with industry best practices, ensuring that all customers have the earliest possible opportunity to implement essential upgrades. Notifications were dispatched to those who had opted to receive security bulletins. To ensure you receive future NetScaler security alerts, please review your support alert settings and update the settings as necessary.
What is the impact of CVE 2025-6543 and CVE 2025-5777?
CVE 2025-6543 is a memory overflow vulnerability leading to unintended control flow and Denial of Service; please refer to the security bulletin for more details. CVE 2025-5777 arises from insufficient input validation leading to memory overread; please refer to the security bulletin.
Is Cloud Software Group planning to deliver a code fix?
Yes, Cloud Software Group has delivered a code fix. Please refer to the security bulletin for CVE-2025-6543 and the security bulletin for CVE-2025-5777.
Is there a workaround or mitigation that I can use instead of updating?
No workarounds or mitigations are available beyond upgrading to a build that addresses the vulnerability as described in the security bulletin.
How urgent is it for me to fix my deployment?
For customers with affected deployments, immediate installation of the recommended updates is critically important due to the identified severity of this vulnerability and evidence of active exploitation.
Does this vulnerability affect only on-premises deployments, or are cloud services also impacted?
The bulletins only apply to customer-managed NetScaler ADC and NetScaler Gateway appliances. Cloud Software Group upgrades Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates
Can I fix these vulnerabilities using Web Application Firewall signatures?
No, it is not possible to fix the vulnerabilities with Web Application Firewall signatures.
How will I know if my device is already compromised?
Cloud Software Group does not provide forensic analysis to determine if a system may have been compromised. However, customers with concerns where they see anomalies in their system behaviour, including random system crashes, and require access to the Indicators of Compromise (IoCs) known to date are encouraged to contact the Citrix Customer Support team. Please be aware that the information shared will be limited to our analysis of reported cases to date.
What are the CVSS scores for these issues?
The CVSS score of CVE-2025-6543 is 9.2.
The CVSS score of CVE-2025-5777 is 9.3.
Does Cloud Software Group provide forensic analysis?
Cloud Software Group does not provide forensic analysis; however, customers can contact Citrix Customer Support to get access to IoCs.
What additional validation can Cloud Software Group provide to aid in my incident response?
Cloud Software Group has released a feature in NetScaler Console, previously known as Application Delivery Management (ADM), to enable you to perform file integrity monitoring for NetScaler build files. The feature helps you identify if changes or additions have been made to the NetScaler core build files.
How can I get support?
If you encounter any issues during your update, please contact Citrix Customer Support. NetScaler is part of the Citrix business unit and shares the same licensing and ticketing systems.
Where can I learn more about the vulnerabilities?
Please refer to the respective security bulletins for CVE 2025-6543, CVE 2025-5777 & CVE 2025-5349.
How do I stay up to date on the latest security updates?
Sign up for security bulletin notifications.
How do I learn more about reporting any potential security vulnerabilities?
Cloud Software Group welcomes input regarding the security of its products and takes any potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Cloud Software Group, please visit our Trust Center.
Cloud Software Group is committed to incorporating your feedback as we adapt our communication and customer support offerings. To provide feedback, contact us.
Are you able to confirm if there are reports of the CVE-2025-6543, CVE-2025-5349 or CVE-2025-5777 being exploited?
Cloud Software Group has observed a limited number of instances where CVE-2025-6543 has been exploited. We are currently unaware of any evidence of exploitation for CVE-2025-5349 or CVE-2025-5777, and these two CVEs are not linked to CVE-2025-6543.
For remediating CVE 2025-6543 or CVE 2025-5777, should admins export a list of active sessions before killing them to look for suspicious activity?
As part of remediating for CVE 2025-6543, killing ICA or PCoIP sessions is not required, just upgrading to the builds containing the fix is sufficient. For remediating CVE 2025-5777, please execute the kill sessions commands after upgrading to the firmware containing the fix; exporting a list of active sessions isn’t recommended.
Are CVE-2025-6543 and CVE-2025-5777 related? Are they being chained together?
CVE 2025-6543 and CVE 2025-5777 are not related.
Is CVE-2025-5777 related or similar to CVE-2023-4966?
While there are reports in the media linking CVE 2025-5777 to CVE-2023-4966 and the mitigations are similar, Cloud Software Group has not found evidence to support a connection.
The NIST website shows a change log that deletes NetScaler Management Interface as being vulnerable in the description of CVE 2025-5777. Why was this done?
The initial description contained an error that was subsequently corrected. The log on NIST’s website reflects this correction.
Is Cloud Software Group going to issue fixes on NetScaler 12.0 & 13.0 builds?
No, we have no current plans to issue fixes for these versions. The 12.0 and 13.0 builds are End of Life, as documented here. Customers who have official extensions for support of 13.0 builds should contact Citrix Customer Support.
Why is the 13.1 FIPS and NDcPP build containing fixes for CVE 2025-6543 not available on the Citrix downloads page?
These builds are required to be shared with only entitled customers and are available through Citrix Customer Support.
Does CVE 2025-6543 constitute a zero day vulnerability?
Cloud Software Group became aware of limited exploitation activity before the patch was released.
Does CVE 2025-5777 or CVE 2025-5349 constitute a zero day vulnerability?
No. Patches were available when each of these vulnerabilities was publicly disclosed.
My ADC deployment has a lot of appliances, is there a way I can streamline the upgrade process ?
Yes, using NetScaler Console, which is a single pane of glass management product for NetScaler. You can configure upgrade jobs using NetScaler Console’s easy to use workflows. NetScaler Console is available as a cloud service or as an on prem solution which can be deployed in your network.
Can NetScaler Console indicate if my NetScaler fleet is up to date ?
Yes, NetScaler Console has a feature to indicate if your NetScaler instances are on the latest build or not. In addition to that you can use this feature to monitor the EoL, EoM dates for your NetScaler appliances. You can learn more about the upgrade advisory feature in NetScaler documentation.
How can I determine if my NetScaler fleet is still vulnerable to any of the vulnerabilities that have been announced now or earlier ?
The Security Advisory feature on NetScaler Console enables you to identify the vulnerabilities putting your NetScaler instances at risk and recommends remediations.