Citrix NetScaler ADC and NetScaler Gateway customers have been hit by a new round of zero day vulnerabilities that require urgent patching, including one the company warned is being actively exploited.
That exploitation alert makes the highest priority flaw, CVE-2025-7775, the one admins will want to start with.
According to Citrix’s advisory, it’s a memory overflow vulnerability that can lead to denial of service or remote code execution (RCE) on NetScaler appliances that meet any of these pre-conditions:
NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or service groups bound with IPv6 servers, and those bound with DBS IPv6 services or service groups bound with IPv6 DBS servers.
NetScaler configured with a CR (Cache redirection) virtual server with type HDX.
The advisory provides command line instructions that customers can follow to determine whether they’re affected by the flaws; Citrix notes in a separate blog analysis that no workarounds or mitigations are possible.
Frustratingly, Citrix has offered no information on the nature of real-world attacks it has seen or the indicators of compromise (IoCs) that could be used to detect whether exploitation has already occurred. That’s a worry because of the hypothetical possibility that attackers could exploit the RCE to create a backdoor on the appliance that is able to survive subsequent patching.
On August 26, security researcher Kevin Beaumont estimated that 84% of vulnerable NetScaler appliances had not been patched for CVE-2025-7775, so it appears there is a large estate for attackers to aim at.
The other flaws
The other two flaws, CVE-2025-7776 and CVE-2025-8424, are rated ‘high’ priority rather than ‘critical’ on CVSS, although patching them should still be a top priority.
The first is a memory overflow vulnerability in devices configured as Gateway with PCoIP Profile bound to it that leads to denial of service, while the second could allow, “improper access control on the NetScaler management interface.” Put simply, attackers might be able to exploit the flaw to bypass authentication, taking control of an appliance’s management console when that shouldn’t be possible.
Which appliances are vulnerable?
Models affected by the bugs are:
NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases
NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP
NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP
Citrix bleeding
As NetScaler customers will already be painfully aware, these are not the first serious vulnerabilities to affect the company’s NetScaler ADC and NetScaler Gateway appliances during 2025.
In June, the company patched CVE-2025-5349 and CVE-2025-5777, the latter a flaw in NetScaler ADC and Gateway devices significant enough for researcher Beaumont to give it a nickname, “Citrix Bleed 2”. The US Cybersecurity and Infrastructure Security Agency (CISA) later added this to its database of flaws known to be under active exploitation. (The original ‘Citrix Bleed’ flaw, CVE‑2023‑4966, affected NetScaler ADC and NetScaler Gateway in 2023.)
Meanwhile, it emerged that a second flaw patched days after that, CVE-2025-6543, might also be under active exploitation. This was confirmed in August by the Dutch National Cyber Security Centre (NCSC-NL) which reported that CVE-2025-6543 had been used to target organizations in the country since at least May.
No Responses