Citrix NetScaler Zero-Day Exploited, Patch Now

Citrix has released urgent security patches for a zero-day flaw in NetScaler ADC and NetScaler Gateway appliances. The vulnerability, tracked as CVE-2025-7775, allows unauthenticated remote code execution (RCE) and denial of service (DoS). Citrix confirmed that attackers have already exploited this bug in the wild.

What happened

• On August 26, Citrix issued an advisory covering three vulnerabilities.
• CVE-2025-7775 (CVSS 9.2): Unauthenticated RCE and DoS vulnerability actively exploited.
• CVE-2025-7776 (CVSS 8.8): Authenticated DoS flaw tied to PCoIP Profile configurations.
• CVE-2025-8424 (CVSS 8.7): Improper access control vulnerability requiring access to management IPs.

Why it matters

• NetScaler ADC and Gateway appliances are high-value targets.
• Past bugs like CVE-2019-19781, CVE-2022-27518, and CitrixBleed (CVE-2023-4966) were exploited by state-sponsored groups and ransomware operators.
• Exploits for CVE-2025-7775 are already in use, and public PoC code may surface soon.

Who is affected

• NetScaler ADC and Gateway versions before 13.1-59.22 and 14.1-47.48.
• FIPS and NDcPP variants of ADC before fixed builds.
• EOL versions (12.1, 13.0) are unsupported and must be upgraded.

What you should do

• Patch immediately to 13.1-59.22, 14.1-47.48, or the fixed FIPS/NDcPP builds.
• Upgrade if running unsupported versions.
• Use Tenable Attack Surface Management to find exposed NetScaler assets.
• Monitor for suspicious activity on devices that were unpatched before August 26.