- Citrix disclosed three new vulnerabilities affecting Citrix NetScaler ADC and NetScaler Gateway
- The highest-severity vulnerability, CVE-2025-7775, has been exploited in the wild
- The disclosure also includes a new vulnerability in the NetScaler management interface, which should not be exposed to the internet and should be prioritized alongside the more severe issues
On August 26, 2025, Cloud Software Group disclosed three new vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway. The most severe of these, CVE-2025-7775, has been exploited in the wild.
- CVE-2025-7775 (CVSS v4: 9.2): A memory overflow vulnerability that allows for remote code execution and/or denial of service in various NetScaler configurations
- CVE-2025-7776 (CVSS v4: 8.8): A memory overflow vulnerability leading to unpredictable or erroneous behavior and denial of service in NetScalers configured as Gateways with PCoIP Profiles bounded to them
- CVE-2025-8424 (CVSS v4: 8.7): An improper access control vulnerability in the NetScaler Management Interface; requires access to NSIP, Cluster Management IP, or local GSLB Site IP or SNIP with Management Access
Roughly 14,300 Citrix NetScaler instances were exposed to the public internet at time of disclosure (August 26). CVE-2025-7775 has been added to the VulnCheck KEV list.
Memory corruption vulnerabilities like CVE-2025-7775 and CVE-2025-7776 can be tricky to exploit and on the whole tend to be used by state-sponsored or other skilled adversaries in targeted attacks rather than leveraged by commodity attackers broadly. Another recent Citrix NetScaler vulnerability VulnCheck research has tracked, CVE-2025-6543, has a description almost identical to CVE-2025-7775 (though CVE-2025-6543 has a narrower range of vulnerable configurations) and has yet to see exploitation at scale despite being on VulnCheck KEV since June 25.
While the Citrix advisory only explicitly mentions active exploitation of CVE-2025-7775, management interfaces for firewalls and security gateways have been targeted en masse in recent threat campaigns. It’s likely that exploit chains targeting these vulnerabilities in the future may try to combine an initial access flaw like CVE-2025-7775 with a flaw like CVE-2025-8424 with management interface compromise as a goal. Vulnerability response prioritization should include CVE-2025-8424 rather than being limited to the higher-severity (but harder-to-exploit) memory corruption CVEs alone.
The Netherlands’ National Cyber Security Centre (NCSC) has a public advisory dated mid-August stating that NetScaler exploits had been used in “a sophisticated attack that successfully targeted several Dutch organizations.” Webshells were deployed on compromised devices; NCSC noted that compromised NetScalers were vulnerable to several known issues — namely, CVE-2025-6543, CVE-2025-5777, and CVE-2025-5349, the first two of which were exploited as zero-days. NCSC didn’t attribute the attacks to a specific adversary; they late released scripts to aid in threat hunting and compromise identification.
Organizations that use Citrix NetScaler should apply patches urgently and ensure the management interface is not exposed to the internet. Fixed versions are below, as indicated in the vendor advisory:
- NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP
- NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP
Patching vulnerable software alone does not remediate compromises or eject threat actors from systems they have infiltrated
The VulnCheck research team is always on the lookout for new vulnerabilities to analyze and abuse. For more research like this, see Command Injection in Jenkins via Git Parameter (CVE-2025-53652), Still Up, Still Evil: A Look at Attacker Infrastructure Longevity, and our 1H 2025 State of Exploitation report.
Sign up for the VulnCheck community today to get free access to our VulnCheck KEV, enjoy our comprehensive vulnerability data, and request a trial of our Initial Access Intelligence, IP Intelligence, and Exploit & Vulnerability Intelligence products.
