Citrix has rolled out critical security updates to fix three vulnerabilities affecting NetScaler ADC and NetScaler Gateway. Among them, one flaw is already being actively exploited in real-world attacks, according to the company.
Overview of the Vulnerabilities
- CVE-2025-7775 (CVSS: 9.2) – Memory overflow issue that can lead to Remote Code Execution (RCE) or Denial-of-Service (DoS)
- CVE-2025-7776 (CVSS: 8.8) – Memory overflow vulnerability that may trigger unpredictable behavior or DoS
- CVE-2025-8424 (CVSS: 8.7) – Improper access control on the NetScaler Management Interface
Citrix confirmed that CVE-2025-7775 has been exploited on unpatched appliances but did not disclose further technical details.
Exploitation Requirements
Each flaw requires specific configurations for successful exploitation:
- CVE-2025-7775 – Exploitable when NetScaler is set up as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server, and when load balancing (HTTP, SSL, HTTP_QUIC) uses IPv6 or DBS IPv6 servers, or when a CR virtual server with HDX type is configured.
- CVE-2025-7776 – Exploitable if the Gateway is configured with a PCoIP Profile bound to it.
- CVE-2025-8424 – Exploitable with access to NSIP, Cluster Management IP, local GSLB Site IP, or SNIP configured with management access.
Fixed Versions and Patch Availability
There are no temporary workarounds, but Citrix has resolved the flaws in the following versions:
- NetScaler ADC and Gateway 14.1-47.48 and newer
- NetScaler ADC and Gateway 13.1-59.22 and newer
- NetScaler ADC 13.1-FIPS / 13.1-NDcPP – version 13.1-37.241 and newer
- NetScaler ADC 12.1-FIPS / 12.1-NDcPP – version 12.1-55.330 and newer
The vulnerabilities were credited to Jimi Sebree (Horizon3.ai), Jonathan Hetzer (Schramm & Partnerfor), and François Hämmerli.
Growing Threat Landscape
CVE-2025-7775 adds to a series of high-profile Citrix flaws weaponized recently, following CVE-2025-5777 (Citrix Bleed 2) and CVE-2025-6543.
Just a day earlier, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two Citrix Session Recording flaws (CVE-2024-8068 and CVE-2024-8069) to its Known Exploited Vulnerabilities (KEV) catalog.
CISA Adds CVE-2025-7775 to KEV
On August 26, 2025, CISA officially included CVE-2025-7775 in the KEV catalog. Federal Civilian Executive Branch (FCEB) agencies have been directed to apply the patch within 48 hours (by August 28).
“Citrix NetScaler ADC and NetScaler Gateway contain a memory overflow vulnerability that could allow for remote code execution and/or Denial-of-Service.”
