Cybercrime

Citrix users hit by actively exploited zero-day vulnerability

The vendor disclosed the critical zero-day in NetScaler ADC and NetScaler Gateway nine days after it warned of a pair of defects in the same products.

By Matt Kapko

June 25, 2025

Listen to this article

0:00

This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.

Citrix offices in Santa Clara, California. (Getty Images)

Citrix on Wednesday disclosed an actively exploited zero-day vulnerability affecting multiple versions of NetScaler products, an alarming development from a vendor that’s been widely targeted in previous attack sprees.

The zero-day (CVE-2025-6543) was disclosed by Citrix nine days after it issued a security bulletin for a pair of defects (CVE-2025-5777 and CVE-2025-5349) in the same products. All three vulnerabilities affect the company’s networking security appliance NetScaler ADC and its virtual private network NetScaler Gateway.

“Exploits of CVE-2025-6543 on unmitigated appliances have been observed,” Citrix said in a security bulletin for the zero-day. Citrix did not respond to a request for comment.

Citrix described the critical zero-day CVE-2025-6543, which has a base score of 9.2 on the CVSS scale, as a memory overflow defect that attackers can exploit for unintended control flow and denial of service. Exploitation can only occur if targeted NetScaler instances are configured as a gateway or an authentication, authorization and accounting (AAA) virtual server, according to Citrix.

Ben Harris, CEO and founder of watchTowr, questioned Citrix’s description of the zero-day, noting that vulnerability metrics associated with the CVSS score point to code execution or similar objectives.

“We believe with high confidence that this isn’t a denial of service as it is being positioned,” Harris told CyberScoop.

“Vulnerable appliances observed to enter a denial-of-service condition likely reflects failed exploitation, and not the intended attacker outcome given the class of vulnerability being discussed,” he added.

The timing of Citrix’s disclosure is also creating some skepticism among threat intelligence professionals. The zero-day bulletin arrived on the heels of heightened concerns about CVE-2025-5777 — which multiple vulnerability and threat researchers have compared to CVE-2023-4966, a defect in the same products dubbed “CitrixBleed” that was widely exploited, impacting multiple large enterprises, in 2023.

Citrix hasn’t detailed any potential connection between the recently disclosed trio of vulnerabilities, nor has the company explained when or under what circumstances it became aware of the zero-day.

Citrix users hit by actively exploited zero-day vulnerability

More Like This

The ‘16 billion password breach’ story is a farce

Russian court releases several REvil ransomware gang members

Microsoft Patch Tuesday addresses 66 vulnerabilities, including an actively exploited zero-day

Top Stories

Short-term extension of expiring cyber information-sharing law could be on the table

Many data brokers aren’t registering across state lines, privacy groups say

More Scoops

Google addresses 34 high-severity vulnerabilities in June’s Android security update

Questions mount as Ivanti tackles another round of zero-days

Microsoft’s Patch Tuesday closes 72 vulnerabilities, including 5 zero-days

SonicWall customers confront resurgence of actively exploited vulnerabilities

SAP zero-day vulnerability under widespread active exploitation

Attackers hit security device defects hard in 2024

Is Ivanti the problem or a symptom of a systemic issue with network devices?

Latest Podcasts

Verizon’s Alex Pinto on the takeaways from the 2025 DBIR

RSA CEO Rohit Ghai on the promise and peril of passkeys

Why blocking cyber threats is no longer enough

MIND CEO Eran Barak on the dramatic rise of insider threats in cybersecurity

Government

Technology

Threats

Policy