Citrix has released emergency patches for three high-severity vulnerabilities affecting NetScaler ADC and NetScaler Gateway products, with security researchers confirming that one of the flaws is already being exploited by cybercriminals in active attacks.

‍

The most critical vulnerability, tracked as CVE-2025-7775 with a CVSS score of 9.2, has been weaponized by threat actors according to Citrix's security advisory published yesterday. The company acknowledged that "exploits of CVE-2025-7775 on unmitigated appliances have been observed" but declined to provide specific details about the attack campaigns.

‍

Three Critical Flaws Disclosed

‍

The security update addresses three separate vulnerabilities that could allow attackers to compromise NetScaler deployments:

CVE-2025-7775 (CVSS 9.2) - A memory overflow vulnerability that enables remote code execution and denial-of-service attacks. This flaw is currently being exploited in the wild.

CVE-2025-7776 (CVSS 8.8) - Another memory overflow issue that can cause unpredictable system behavior and service disruptions.

CVE-2025-8424 (CVSS 8.7) - An access control vulnerability targeting the NetScaler Management Interface.

‍

The vulnerabilities were discovered and reported by security researchers Jimi Sebree from Horizon3.ai, Jonathan Hetzer from Schramm & Partner, and François Hämmerli.

‍

Attack Requirements and Affected Systems

‍

For successful exploitation, attackers must meet specific prerequisites depending on the vulnerability:

CVE-2025-7775 requires NetScaler to be configured as a Gateway with VPN virtual server, ICA Proxy, CVPN, or RDP Proxy functionality. The vulnerability also affects load balancer virtual servers bound with IPv6 services in certain NetScaler versions.

CVE-2025-7776 impacts NetScaler Gateway configurations with PCoIP Profile bindings, while CVE-2025-8424 affects systems where attackers can access management interfaces including NSIP, Cluster Management IP, or SNIP with management access.

‍

Patches Available, No Workarounds

‍

Citrix has released fixes for all affected versions with no available workarounds, meaning organizations must apply the patches to secure their systems:

• NetScaler ADC and Gateway 14.1: Update to version 14.1-47.48 or later
• NetScaler ADC and Gateway 13.1: Update to version 13.1-59.22 or later
• NetScaler ADC 13.1-FIPS and NDcPP: Update to version 13.1-37.241 or later
• NetScaler ADC 12.1-FIPS and NDcPP: Update to version 12.1-55.330 or later

‍

CISA Adds Vulnerability to Must-Patch List

‍

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) moved quickly to add CVE-2025-7775 to its Known Exploited Vulnerabilities catalog on August 26, requiring federal agencies to patch vulnerable systems within 48 hours.

‍

"Citrix NetScaler ADC and NetScaler Gateway contain a memory overflow vulnerability that could allow for remote code execution and/or Denial-of-Service," CISA stated in its advisory.

‍

The emergency directive underscores the severity of the threat and the likelihood of widespread exploitation attempts.

‍

Latest in Series of NetScaler Attacks

‍

This incident marks the third major NetScaler vulnerability to be actively exploited in recent months, following CVE-2025-5777 (dubbed "Citrix Bleed 2") and CVE-2025-6543. The pattern suggests cybercriminals are increasingly targeting NetScaler infrastructure as a pathway into enterprise networks.

‍

The timing of the disclosure also coincides with CISA's addition of two other Citrix vulnerabilities to its exploit catalog. CVE-2024-8068 and CVE-2024-8069, affecting Citrix Session Recording products, were added to the KEV list based on evidence of active exploitation.

‍

Industry Impact and Response

‍

NetScaler products are widely deployed in enterprise environments to provide load balancing, VPN access, and application delivery services. The confirmation of active exploitation has prompted urgent response from cybersecurity teams worldwide.

‍

Security experts are advising organizations to prioritize patching of internet-facing NetScaler appliances, particularly those configured with Gateway functionality that meet the CVE-2025-7775 prerequisites.

‍

The disclosure highlights the ongoing challenges organizations face in maintaining security for critical network infrastructure, especially as threat actors continue to develop exploits for newly discovered vulnerabilities at an accelerated pace.

‍

Organizations using affected NetScaler products are strongly encouraged to review the Citrix security advisory and implement the available patches as soon as possible to prevent potential compromise.

‍