Citrix has released urgent security patches for a zero-day flaw in NetScaler ADC and NetScaler Gateway appliances. The vulnerability, tracked as CVE-2025-7775, allows unauthenticated remote code execution (RCE) and denial of service (DoS). Citrix confirmed that attackers have already exploited this bug in the wild.
What happened
- On August 26, Citrix issued an advisory covering three vulnerabilities.
- CVE-2025-7775 (CVSS 9.2): Unauthenticated RCE and DoS vulnerability actively exploited.
- CVE-2025-7776 (CVSS 8.8): Authenticated DoS flaw tied to PCoIP Profile configurations.
- CVE-2025-8424 (CVSS 8.7): Improper access control vulnerability requiring access to management IPs.
Why it matters
- NetScaler ADC and Gateway appliances are high-value targets.
- Past bugs like CVE-2019-19781, CVE-2022-27518, and CitrixBleed (CVE-2023-4966) were exploited by state-sponsored groups and ransomware operators.
- Exploits for CVE-2025-7775 are already in use, and public PoC code may surface soon.
Who is affected
- NetScaler ADC and Gateway versions before 13.1-59.22 and 14.1-47.48.
- FIPS and NDcPP variants of ADC before fixed builds.
- EOL versions (12.1, 13.0) are unsupported and must be upgraded.
What you should do
- Patch immediately to 13.1-59.22, 14.1-47.48, or the fixed FIPS/NDcPP builds.
- Upgrade if running unsupported versions.
- Use Tenable Attack Surface Management to find exposed NetScaler assets.
- Monitor for suspicious activity on devices that were unpatched before August 26.
