Citrix Issues Urgent Patches for Actively Exploited Vulnerability CVE-2025-6543 in NetScaler ADC

June 25, 2025
Vulnerability / Network Security

Citrix has launched critical security updates to address a significant vulnerability in NetScaler ADC, which is currently being exploited in the wild. This vulnerability, identified as CVE-2025-6543, has a CVSS score of 9.2 out of 10. It involves a memory overflow issue that could lead to unintended control flow and potential denial-of-service attacks. Successful exploitation requires the appliance to be set up as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The affected versions include:

  • NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46
  • NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19
  • NetScaler ADC and NetScaler Gateway 12.1 and 13.0 (vulnerable and end-of-life)
  • NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP

Citrix has indicated that vulnerabilities also impact “Secure Private Access on-prem or Secure Private Access Hybrid” deployments utilizing NetScaler instances.

Citrix Issues Urgent Security Patches for Actively Exploited CVE-2025-6543 in NetScaler ADC

On June 25, 2025, Citrix took decisive action in response to a critical vulnerability identified as CVE-2025-6543 affecting its NetScaler ADC products. This flaw has been reportedly exploited in active cyber attacks, prompting Citrix to roll out emergency security updates. With a CVSS rating of 9.2 out of 10, the vulnerability represents a significant threat, characterized as a memory overflow issue that could lead to unintended control flow and potential denial-of-service incidents.

The exploitation of this vulnerability hinges on specific configurations; it necessitates that the NetScaler appliance is set up as a Gateway, such as a VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or a AAA virtual server. Organizations running affected versions of NetScaler ADC and NetScaler Gateway are particularly at risk. Specifically, versions 14.1 prior to 14.1-47.46, 13.1 prior to 13.1-59.19, and 12.1 and 13.0 (the latter being both vulnerable and no longer supported) are exposed to this threat. Additionally, NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP configurations are also susceptible.

Citrix’s announcement underscored the potential ramifications for organizations utilizing Secure Private Access on-premises or hybrid deployments with NetScaler instances. Given that these systems play crucial roles in virtual networking and secure remote access, the implications for business operations are significant. Organizations are urged to apply these patches promptly to mitigate the risk of exploitation.

From a cybersecurity perspective, understanding the tactics and techniques that could be associated with such an attack is essential for business leaders. According to the MITRE ATT&CK framework, adversaries may utilize tactics such as initial access and privilege escalation through vulnerable configurations. This could enable attackers to gain footholds within an organization’s infrastructure, potentially leveraging these access points to execute further malicious activities.

As this situation develops, it highlights the increasing urgency for businesses to remain vigilant in their cybersecurity practices by regularly updating and patching their systems. The rapid evolution of threats in the digital landscape necessitates a proactive stance on security. As always, in the realm of cybersecurity, preparedness and immediate response can be the difference in mitigating the impact of a breach. Businesses are strongly advised to conduct thorough assessments of their current configurations and ensure that they are protected against this and other emerging threats.

Source link

Related Posts

XDigo Malware Exploits Windows LNK Vulnerability in Eastern European Government Attacks

On June 23, 2025, cybersecurity researchers unveiled XDigo, a Go-based malware utilized in attacks against Eastern European government entities in March 2025. The cyber espionage campaign, known as XDSpy, has been targeting government agencies in Eastern Europe and the Balkans since 2011, with its origins traced back to early documentation by the Belarusian CERT in 2020. Recent years have seen numerous campaigns aimed at organizations in Russia and Moldova, deploying malware families such as UTask, XDDown, and DSDownloader to retrieve sensitive data from compromised systems. HarfangLab reported that the threat actor exploited a remote code execution vulnerability in Microsoft Windows, triggered by specially crafted LNK files, as part of a multi-stage attack approach.

Citrix Bleed 2 Vulnerability Allows Token Theft; SAP GUI Flaws Threaten Sensitive Data Security

June 25, 2025
Data Privacy / Vulnerability

Cybersecurity experts have unveiled two recently patched vulnerabilities in the SAP Graphical User Interface (GUI) for Windows and Java, which could allow attackers to access sensitive information if exploited. The vulnerabilities, identified as CVE-2025-0055 and CVE-2025-0056 (CVSS scores: 6.0), were addressed in SAP’s January 2025 monthly update. According to Pathlock researcher Jonathan Stross, the research revealed that the SAP GUI input history is insecurely stored in both Java and Windows versions. This input history feature is designed to help users quickly access previously entered data, storing it locally on devices. However, this can include sensitive information such as usernames, national IDs, social security numbers (SSNs), bank account numbers, and internal SAP table names. The vulnerabilities highlighted by Pathlock stem from these insecure storage methods.

9% of Microsoft Entra SaaS Apps Still Vulnerable to nOAuth Exploits Two Years Post-Discovery

June 25, 2025
SaaS Security / Vulnerability

Recent findings highlight ongoing risks associated with a known security flaw in Microsoft Entra ID, which may allow malicious actors to execute account takeovers in certain software-as-a-service (SaaS) applications. Identity security firm Semperis analyzed 104 SaaS applications and discovered that nine remain vulnerable to Entra ID cross-tenant nOAuth abuse. Initially revealed by Descope in June 2023, nOAuth pertains to a flaw in the implementation of OpenID Connect (OIDC) by SaaS applications, which is an authentication layer built on OAuth for verifying user identities. This implementation flaw allows attackers to alter the mail attribute in an Entra ID account to that of a target, leveraging the app’s “Log in with Microsoft” feature to hijack the account. The attack is straightforward, exacerbated by Entra ID’s allowance for unverified email addresses, paving the way for user impersonation.

CISA Updates KEV Catalog with 3 New Vulnerabilities Affecting AMI MegaRAC, D-Link, and Fortinet

On June 26, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, all of which are subject to active exploitation. These vulnerabilities affect AMI MegaRAC, D-Link DIR-859 routers, and Fortinet FortiOS. The details of the vulnerabilities are as follows:

  • CVE-2024-54085 (CVSS score: 10.0): An authentication bypass vulnerability in the Redfish Host Interface of AMI MegaRAC SPx, which could enable a remote attacker to gain control.
  • CVE-2024-0769 (CVSS score: 5.3): A path traversal vulnerability in D-Link DIR-859 routers that facilitates privilege escalation and unauthorized control (currently unpatched).
  • CVE-2019-6693 (CVSS score: 4.2): A hard-coded cryptographic key issue in FortiOS, FortiManager, and FortiAnalyzer used for encrypting password data in CLI configurations, potentially allowing an attacker with access to the CLI configuration or backup file to decrypt sensitive information.