You are currently viewing Security Advisory: Citrix Addresses Three NetScaler Vulnerabilities Including Actively Exploited CVE-2025-7775

Security Advisory: Citrix Addresses Three NetScaler Vulnerabilities Including Actively Exploited CVE-2025-7775

  • Post author:
  • Reading time:3 mins read

On August 26, 2025, Citrix released a security bulletin addressing three newly disclosed vulnerabilities in NetScaler ADC and NetScaler Gateway appliances. One of these, CVE-2025-7775, has already been confirmed as actively exploited in the wild as a zero-day vulnerability.

These flaws affect both supported and end-of-life (EOL) versions of NetScaler products and pose significant risk, ranging from remote code execution (RCE) to denial-of-service (DoS) and improper access control bypass. Security researchers and Citrix have urged organizations to apply patches immediately and review appliances for signs of compromise.

Vulnerability Details

CVE-2025-7775 – Memory Overflow Vulnerability (RCE/DoS)

Description:
CVE-2025-7775 is a critical memory overflow vulnerability in NetScaler ADC and Gateway. The flaw can be exploited by an unauthenticated attacker to execute arbitrary code remotely or cause a denial-of-service condition.

Impact:

  • Remote Code Execution (RCE)
  • Service disruption via DoS
  • Potential for backdoor deployment and full system compromise (as confirmed by security researchers)

Status:

Added to CISA Known Exploited Vulnerabilities (KEV) catalog

Actively exploited zero-day

CVE-2025-7776 – Memory Overflow Vulnerability (DoS)

Description:
CVE-2025-7776 is a memory overflow vulnerability affecting NetScaler ADC and Gateway appliances when configured as a Gateway with a bound PCoIP Profile. Exploitation requires authentication.

Impact:

  • An authenticated attacker can trigger a DoS condition
  • Service availability disruption

CVE-2025-8424 – Improper Access Control Vulnerability

Description:
CVE-2025-8424 is an improper access control flaw in NetScaler ADC and Gateway. While no privileges are required, exploitation requires access to specific management interfaces such as NSIP, Cluster Management IP, local GSLB Site IP, or SNIP with Management Access.

Impact:

  • Unauthorized configuration access
  • Potential lateral movement or administrative misuse if exposed to untrusted networks

Preconditions for Exploitation

According to Citrix, NetScaler appliances are vulnerable if deployed in the following configurations:

  • Gateway mode: VPN virtual server, ICA Proxy, CVPN, RDP Proxy, or AAA virtual server
  • Load Balancer mode (13.1, 14.1, 13.1-FIPS, NDcPP):
    • LB virtual servers of type HTTP, SSL, or HTTP_QUIC bound with IPv6 services or service groups bound with IPv6 servers
    • LB virtual servers of type HTTP, SSL, or HTTP_QUIC bound with DBS IPv6 services or service groups bound with DBS IPv6 servers
  • CR virtual server of type HDX

Affected Versions

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

  • NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.48
  • NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.22
  • NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.241-FIPS and NDcPP
  • NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.330-FIPS and NDcPP

Mitigation & Recommendations

Citrix recommends upgrading to the following versions to address these vulnerabilities:

  • NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases
  • NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1
  • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP
  • NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP

NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and no longer supported. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities. 

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.