Citrix warns of NetScaler vulnerability exploited in DoS attacks

Citrix is warning that a vulnerability in NetScaler appliances tracked as CVE-2025-6543 is being actively exploited in the wild, causing devices to enter a denial of service condition.

“Exploits of CVE-2025-6543 on unmitigated appliances have been observed,” warns Citrix’s advisory.

Tracked internally as CTX694788, CVE-2025-6543 is a critical flaw impacting NetScaler ADC and NetScaler Gateway and can be triggered by unauthenticated, remote requests, leading the appliance to go offline.

The flaw impacts NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-47.46, 13.1 before 13.1-59.19, and NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.236-FIPS and NDcPP.

It only affects NetScaler devices configured as a Gateway (VPN virtual server, ICA Proxy, Clientless VPN (CVPN), RDP Proxy) or an AAA virtual server.

Citrix fixed the flaw in NetScaler ADC and Gateway 14.1-47.46, 13.1-59.19, and ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.236 and later releases of 13.1-FIPS and 13.1-NDcPP.

The warning arrives as admins deal with another critical NetScaler flaw dubbed CitrixBleed 2.

That bug, tracked as CVE-2025-5777, allows attackers to hijack user sessions by extracting session tokens from a device’s memory.

A similar Citrix flaw named “CitrixBleed” was previously used by ransomware gangs and in attacks on governments in 2023 to gain widescale access to NetScaler devices and move laterally across corporate environments.

With both flaws being critical bugs, administrators are advised to apply the latest patches from Citrix as soon as possible.

Companies should also monitor their NetScaler instances for unusual user sessions, abnormal behavior, and to review access controls.

BleepingComputer contacted Citrix to learn how CVE-2025-6543 is being exploited in attacks and will update this article if we receive a response.