NetScaler ADC/Gateway zero-day exploited by attackers (CVE-2025-7775) – updated!

Three new vulnerabilities affecting (Citrix) NetScaler application delivery controller (ADC) and Gateway devices have been made public, one of which (CVE-2025-7775) has been targeted in zero-day attacks.

NetScaler CVE-2025-7775

“Exploits of CVE-2025-7775 on unmitigated appliances have been observed,” Citrix has confirmed, and released security updates that fix the flaws.

The vulnerabilities

The three fixed vulnerabilities are:

  • CVE-2025-7775: A memory overflow vulnerability leading to pre-auth remote code execution (RCE) and/or denial of service (DoS)
  • CVE-2025-7776: A memory overflow vulnerability leading to unpredictable or erroneous behavior and DoS
  • CVE-2025-8424: An vulnerability stemming from improper access control on the NetScaler management interface

All three vulnerabilities are exploitable, but only on devices that are configured to provide certain functions (for specifics, consult the advisory).

The vulnerabilities affect:

  • NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.48
  • NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.22
  • NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.241-FIPS and NDcPP
  • NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.330-FIPS and NDcPP

What to do?

Citrix says that Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities, and those have to be upgraded as well.

Fixed versions for the aforementioned branches have been provided. Users of NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0, which are no longer supported, are advised to upgrade to the latest available version in one of the still supported branches.

There are no workarounds or mitigating factors, the company noted.

Security researcher Kevin Beaumont has stated that CVE-2025-7775 is being used by attackers to deliver webshells that will provide them with a backdoor into the targeted organizations.

“Orgs will need to do [incident response] afterwards as technical details emerge of [the] backdoor,” he noted.

Citrix/NetScaler has had a bad run with exploited NetScaler ADC and Gateway zero-days this year: both CVE‑2025‑6543 and CVE‑2025‑5777 (aka CitrixBleed 2) have been exploited for months before getting patched.

UPDATE (August 27, 2025, 05:10 a.m. ET):

CISA has added CVE-2025-7775 to its Known Exploited Vulnerabilities catalog and ordered US federal civilian agencies to patch the flaw by August 28 (Thursday).

Kevin Beaumont noted on Tuesday that the great majority of internet-facing Netscaler devices are still unpatched.

Caitlin Condon, VulnCheck’s VP or Research, shared that some 14,300 Citrix NetScaler instances were exposed to the public internet at time of disclosure of the vulnerabilities.

“Memory corruption vulnerabilities like CVE-2025-7775 and CVE-2025-7776 can be tricky to exploit and on the whole tend to be used by state-sponsored or other skilled adversaries in targeted attacks rather than leveraged by commodity attackers broadly,” she also pointed out.

“While the Citrix advisory only explicitly mentions active exploitation of CVE-2025-7775, management interfaces for firewalls and security gateways have been targeted en masse in recent threat campaigns. It’s likely that exploit chains targeting these vulnerabilities in the future may try to combine an initial access flaw like CVE-2025-7775 with a flaw like CVE-2025-8424 with management interface compromise as a goal. Vulnerability response prioritization should include CVE-2025-8424 rather than being limited to the higher-severity (but harder-to-exploit) memory corruption CVEs alone.”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

Don't miss