A critical memory overflow bug in NetScaler ADC/Gateway is being exploited in the wild. It can lead to remote code execution (RCE) or denial of service. Since there are no workarounds, it is highly recommended to patch immediately. CISA added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Citrix shipped fixes today for three NetScaler flaws, headlined by CVE-2025-7775 (CVSS v4.0: 9.2), a memory handling issue that attackers are already abusing (exploited) against unmitigated appliances.
Around 59,000+ Citrix NetScaler (Gateway/AAA) were reachable on the public internet on August 26, 2025, based on a Shodan data.
Who’s at risk
Customers exposed if any of the following apply (any one is sufficient):
- Device configured as Gateway (VPN/ICA Proxy/CVPN/RDP Proxy) or AAA vserver.
- LB vservers (HTTP/SSL/HTTP_QUIC) bound to IPv6 services/service groups, or DBS IPv6 servers.
- CR vserver (HDX type).
Affected & fixed builds
Affected (upgrade required):
- 14.1 before 14.1-47.48
- 13.1 before 13.1-59.22
- 13.1-FIPS/NDcPP before 13.1-37.241
- 12.1-FIPS/NDcPP before 12.1-55.330
Fixed targets: 14.1-47.48+, 13.1-59.22+, 13.1-FIPS/NDcPP 13.1-37.241+, 12.1-FIPS/NDcPP 12.1-55.330+.
Note that NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and need to move to a supported release. Secure Private Access on-prem/hybrid deployments using NetScaler instances also need the updated builds.
Why these matters
NetScaler has been a high-value target this summer (see CVE-2025-5777 “CitrixBleed 2” and CVE-2025-6543). Today’s advisory confirms another round of real-world exploitation, continuing the pattern of rapid weaponization against edge infrastructure.
Also patched today
- CVE-2025-7776 (CVSS 8.8) — Memory overflow that could lead to DoS/erratic behavior. Exposure requires a Gateway (VPN) vserver with a PCoIP profile bound. Patch to the same fixed trains noted above.
- CVE-2025-8424 (CVSS 8.7) — Improper access control on the management interface. Risk applies when an attacker can reach NSIP, Cluster Management IP, local GSLB Site IP, or a SNIP with management access. Beyond patching, validate that management is isolated, not exposed to untrusted networks, and restricted by ACLs/VPN/jump hosts.
Patch immediately to the fixed builds listed above. There are no mitigations.
Qualys Detection
We’re actively preparing QID 384699 and target end-of-day availability today to detect affected NetScaler ADC/Gateway assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References:
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938