Citrix fixed three NetScaler ADC and NetScaler Gateway flaws today, including a critical remote code execution flaw tracked as CVE-2025-7775 that was actively exploited in attacks as a zero-day vulnerability.
The CVE-2025-7775 flaw is a memory overflow bug that can lead to unauthenticated, remote code execution on vulnerable devices.
In an advisory released today, Citrix states that this flaw was observed being exploited in attacks on unpatched devices.
“As of August 26, 2025 Cloud Software Group has reason to believe that exploits of CVE-2025-7775 on unmitigated appliances have been observed, and strongly recommends customers to upgrade their NetScaler firmware to the versions containing the fix as there are no mitigations available to protect against a potential exploit.,” reads a blog post about the flaw.
While Citrix has not shared indicators of compromise or any other information that could be used to determine if devices were exploited, they did share that devices must be configured in one of the following configurations to be vulnerable:
- NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server
- NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers
- NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers
- CR virtual server with type HDX
In an advisory released today, Citrix shared configuration settings that can be checked to determine if your NetScaler device is using one of the above configurations.
BleepingComputer contacted Citrix and Cloud Software Group with questions about the exploitation of CVE-2025-7775 and will update our story if we receive a reply.
In addition to the RCE flaw, today’s update also addresses a memory overflow vulnerability that could lead to denial of service, tracked as CVE-2025-7776, and improper access control on the NetScaler Management Interface, tracked as CVE-2025-8424.
The flaws impact the following versions:
- NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.48
- NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.22
- NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.241-FIPS and NDcPP
- NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.330-FIPS and NDcPP
As there are no mitigations, Citrix “strongly recommends” admins install the latest updates as soon as possible.
Citrix says the flaws were disclosed by Jimi Sebree of Horizon3.ai, Jonathan Hetzer, of Schramm & Partnerfor and François Hämmerli. However, it is unclear who discovered what bug.
In June, Citrix disclosed an out-of-bounds memory read vulnerability tracked as CVE-2025-5777 and dubbed “Citrix Bleed 2,” which allows attackers to access sensitive information stored in memory.
This flaw was actively exploited nearly two weeks before proof-of-concept (PoC) exploits were released in July, despite Citrix stating that there was no evidence of attacks at the time.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.