Detections
Analytics

NetScaler ADC and NetScaler Gateway Memory Overflow (CTX694788)

critical Nessus Plugin ID 240342

Language:

Synopsis

The remote device is affected by a memory overflow vulnerability.

Description

The remote NetScaler ADC (formerly Citrix ADC) or NetScaler Gateway (formerly Citrix Gateway) device is version 14.1 prior to 14.1-47.46, 13.1 prior to 13.1-59.19, or 13.1-FIPS prior to 13.1-37.236-FIPS. It if, therefore, affected by a memory overflow vulnerability:

 - Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. (CVE-2025-6543)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to NetScaler ADC or NetScaler Gateway version 13.1-37.236-FIPS, 13.1-59.19, or 14.1-47.46 or later.

See Also

http://www.nessus.org/u?b3df6540

Plugin Details

Severity: Critical

ID: 240342

File Name: netscaler_adc_gateway_CTX694788.nasl

Version: 1.5

Type: combined

Family: CGI abuses

Published: 6/25/2025

Updated: 7/8/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2025-6543

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.2

Threat Score: 9.2

Threat Vector: CVSS:4.0/E:A

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Vulnerability Information

CPE: cpe:/h:citrix:netscaler_gateway, cpe:/h:citrix:netscaler_application_delivery_controller

Required KB Items: Host/NetScaler/Detected

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/25/2025

Vulnerability Publication Date: 6/25/2025

CISA Known Exploited Vulnerability Due Dates: 7/21/2025

Reference Information

CVE: CVE-2025-6543

IAVA: 2025-A-0443