The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an urgent advisory about a newly discovered zero-day flaw in Citrix NetScaler appliances. The issue, tracked as CVE-2025-7775, is a memory overflow vulnerability that enables remote code execution (RCE). Reports confirm that threat actors are already exploiting this weakness, which led to its immediate addition to the Known Exploited Vulnerabilities (KEV) Catalog on August 26, 2025.
Key Highlights
- Active exploitation of Citrix NetScaler zero-day vulnerability, added to CISA’s KEV list.
- Allows attackers to execute code remotely without authentication.
- Urgent patching required, apply Citrix firmware updates right away.
Understanding the Memory Overflow Flaw (CVE-2025-7775)
The vulnerability impacts Citrix NetScaler ADC, Gateway, and SD-WAN WANOP systems. Classified as a buffer overflow condition, it occurs when data written into memory exceeds allocated space. Attackers exploit this by sending crafted HTTP requests with oversized payloads, which trigger memory corruption and ultimately allow execution of arbitrary code.
Because NetScaler appliances sit at the core of enterprise networks, this weakness represents a serious entry point for adversaries. Exploitation can be carried out remotely, without authentication, making it a critical risk.
Technical Breakdown
- Affected Products: Citrix NetScaler ADC, Gateway, SD-WAN WANOP (all unpatched firmware versions)
- Impact: Remote Code Execution (RCE)
- Attack Requirements: Network access to NetScaler interface, ability to send malicious HTTP requests, vulnerable firmware version
- CVSS Score: 9.8 Critical
This flaw specifically targets the packet processing engine, letting attackers bypass security mechanisms and gain elevated privileges, including administrative control of the device.
Remediation and Mitigation Steps
CISA has directed all Federal Civilian Executive Branch (FCEB) agencies under BOD 22-01 to patch immediately. The directive enforces strict timelines due to the confirmed active exploitation and the vulnerability’s critical classification.
Recommended Actions:
- Patch Immediately: Citrix has released firmware updates that fix the flaw using improved bounds checking and input validation.
- Apply Network Segmentation & ACLs: Reduce exposure while patches are applied.
- Use Web Application Firewall (WAF) Rules: Detect and block suspicious requests attempting exploitation.
- Update via nsconfig CLI: Administrators should upgrade to the latest NetScaler firmware release as a top priority.
The inclusion of CVE-2025-7775 in CISA’s KEV catalog underscores the severity of this vulnerability and the urgency of response required to protect enterprise infrastructure from compromise.
