A threat campaign is actively exploiting a critical vulnerability, CVE-2025-6543, in Citrix NetScaler ADC and Gateway appliances configured as a Gateway or AAA virtual server. Review this Cybersecurity Threat Advisory for detailed guidance and recommended actions to mitigate your risk.
What is the threat?
This memory overflow vulnerability has been actively exploited since May 2025, enabling attackers to gain persistent remote control over affected devices. Threat actors are deploying malicious web shells to execute commands, intercept data, manipulate systems, and erase evidence to evade detection. Active exploitation of CVE-2025-6543 as a zero-day, implanting persistent web shells without triggering immediate alerts. Organizations using unpatched NetScaler appliances face significant risk, as exploitation can disrupt operations, compromise sensitive traffic, and enable long-term intrusion into critical infrastructure.
Why is it noteworthy?
Organizations and critical infrastructure operators deploy Citrix NetScaler ADC and Gateway appliances to enable secure remote access. Citrix has confirmed that some affected versions, 12.1 and 13.0, are end-of-life and will not receive security updates. This targeted campaign could have widespread impact across enterprises, government networks, and critical infrastructure.
What is the exposure or risk?
Since the vulnerability affects devices running unsupported versions like 12.1 and 13.0, organizations that continue to use these versions remain permanently exposed. Unpatched or end-of-life deployments face a heightened risk of compromise, persistent intrusion, and potential disruption of critical services.
What are the recommendations?
Barracuda recommends the following to mitigate risk:
- Upgrade impacted appliances to 14.1-47.46 or later, 13.1-59.19 or later, or 13.1-37.236-FIPS/NDcPP.
- Terminate active sessions post-patching using Citrix-recommended commands (e.g., kill aaa session –all, kill rdp connection –all, clear lb persistentSessions) to remove any potential attacker persistence. Search for indicators of compromise (IoCs) such as unexpected .php files in system directories, unauthorized configuration changes, or unknown administrator accounts.
- Review and restrict administrative access to trusted networks and enforce strong, unique credentials for all management accounts.
- Establish an incident response plan for NetScaler-related threats, including immediate isolation of compromised appliances, forensic log collection, and verification of firmware and configuration integrity.
- Train operational and security staff on detection methods, patching procedures, and emergency response actions specific to this vulnerability.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/08/dutch-ncsc-confirms-active-exploitation.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-6543
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.