Overview
On August 26, 2025, Citrix published a security bulletin for three new vulnerabilities affecting NetScaler ADC and NetScaler Gateway. Of the three vulnerabilities disclosed, the vendor has indicated that CVE-2025-7775 has been exploited in-the-wild by an as-yet unknown threat actor. As exploitation was observed by the vendor at the time of the vendor disclosure, we know that CVE-2025-7775 has been exploited as a zero-day vulnerability.
While there is no known public exploit code for CVE-2025-7775 available yet, broad exploitation of CVE-2025-7775 is likely to occur once exploit code does become public. Therefore, it is crucial that customers of affected NetScaler systems remediate this vulnerability as soon as possible.
CVE-2025-7775 is described as a memory corruption vulnerability leading to remote code execution. The vendor provided CVSS scoring for this vulnerability is 9.2 (Critical), and reveals that exploitation is unauthenticated. However, the attack complexity for exploitation is marked as high. This reflects the complexity in successfully exploiting a memory corruption vulnerability, which can often be complex and prone to failure due to unexpected memory layouts or other indeterminisms in the target system.
An affected NetScaler ADC and NetScaler Gateway must be in one of the following specific configurations in order to be vulnerable (as per the vendor security bulletin):
NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server
NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers
NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers
CR virtual server with type HDX
It is noteworthy that while any one of the above configurations is required for an affected target to be vulnerable, the first configuration is the same prerequisite for some other previous notable NetScaler vulnerabilities that have seen broad exploitation in the past. This includes the previous vulnerabilities CVE-2025-6543, CVE-2025-5777 (aka Citrix Bleed 2), and CVE-2023-4966 (aka Citrix Bleed). So this requirement for a specific configuration should not be seen as a limiting factor in the severity of this vulnerability.
CVE-2025-7775 has been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of Known Exploited Vulnerabilities (KEV), and several national Computer Emergency Response Teams (CERTs) have begun to issue alerts.
As well as disclosing CVE-2025-7775, the vendor has disclosed two additional vulnerabilities also affecting NetScaler ADC and NetScaler Gateway. CVE-2025-7776 is another memory corruption vulnerability, and CVE-2025-8424 is described as an improper access control issue affecting the management interface of a NetScaler appliance. Neither of these two vulnerabilities have been indicated by the vendor as being either exploited in-the-wild or related to CVE-2025-7775. All three vulnerabilities are remediated by the same patch.
Mitigation guidance
The vendor has made patches available for supported versions of NetScaler ADC and NetScaler Gateway. Customers of affected NetScaler ADC and NetScaler Gateway customer-managed instances are advised to update to the vendor supplied patches on an urgent basis. Customers using Citrix cloud-managed services are already remediated.
The following versions remediate all three vulnerabilities (CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424):
NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases
NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP
NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP
Customers who are using affected versions that are no longer supported with product updates (i.e. the version 12.1 and 13.0 branches), are advised to upgrade to the latest version of a supported version.
For the latest mitigation guidance, please refer to the vendor security bulletin.
Rapid7 customers
InsightVM and Nexpose
InsightVM and Nexpose customers can assess their exposure to CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424 on Citrix NetScaler ADC with authenticated checks expected to be available in today’s (27 August) content release.