- Posted June 27, 2025
The NCSC would like to draw your attention to another critical vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway Products. The NCSC is aware of open-source reporting of active exploitation of this vulnerability.
CVE-2025-6543 (CVSS 9.2): A memory overflow defect that attackers could exploit for unintended control flow and denial of service. This vulnerability affects NetScaler products configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:
- NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.46
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.19
- NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.236-FIPS and NDcPP
- NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 (end-of-life)
Note: These are different versions to those previously listed in our advisory on CVE-2025-5777 and CVE-2025-5349.
The NCSC encourages organisations in New Zealand that use the affected products to review the vendor advisory(external link) and apply the remediations as soon as possible.
For more NCSC NZ updates, follow us on LinkedIn(external link).