Executive Summary
Following the actively exploited vulnerability in Citrix NetScaler (CVE-2025-7775), this summary provides an overview of the technical details and the associated risks. The flaw, a critical memory overflow, has been added by CISA to its Known Exploited Vulnerabilities (KEV) catalog due to confirmed in-the-wild exploitation. It allows unauthenticated remote code execution on vulnerable appliances, making it a high-value target for threat actors. Immediate patching and incident response actions are strongly recommended to mitigate potential compromise.
Description and Impact: CVE-2025-7775 is a critical memory overflow vulnerability (CWE-119) in Citrix NetScaler ADC and NetScaler Gateway appliances. It can be exploited without authentication (pre-auth) to execute arbitrary code or cause a denial of service on the affected system. Citrix has confirmed that this flaw has been actively exploited on unpatched NetScaler appliances, which led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2025-7775 to its Known Exploited Vulnerabilities catalog on August 26, 2025.
Technical Details: The vulnerability stems from improper handling of memory buffers in the NetScaler software, and it affects several common deployment scenarios. NetScaler instances configured as VPN gateways (e.g. SSL VPN, ICA Proxy, CVPN, RDP Proxy) or as authentication virtual servers (AAA) are susceptible. Additionally, NetScaler ADC/Gateway versions 13.1 and 14.1 (including FIPS and NDcPP variants) are vulnerable when using load balancing virtual servers for HTTP/SSL/QUIC bound to IPv6 services, as well as certain content routing virtual servers (HDX). In essence, CVE-2025-7775 allows an unauthenticated remote attacker to run arbitrary code on the appliance. Security researchers observed attackers leveraging this flaw as a zero-day, using it to install webshells and backdoor implants on compromised NetScaler devices for persistent access. For context, roughly 14,300 NetScaler instances were exposed to the internet at the time of this disclosure, underscoring the broad attack surface.
Severity and Exploitation: Citrix has assigned CVE-2025-7775 a CVSS v4 base score of 9.2 (Critical). Exploits targeting memory corruption bugs like this are complex, but highly valued by advanced threat actors – they tend to be used by state-sponsored or other skilled groups in targeted attacks rather than by unsophisticated hackers. NetScaler appliances, often deployed at the network perimeter, are high-value targets. Recent incidents show that cybercriminal groups (including ransomware operators) quickly weaponize such NetScaler flaws to breach organizations. The combination of high severity and active exploitation makes this vulnerability particularly dangerous.
Patches and Mitigation: On August 26, 2025, Citrix released fixes for this vulnerability, alongside two other related NetScaler issues (CVE-2025-7776 and CVE-2025-8424). No temporary workaround is available – affected organizations need to apply the patches to secure their systems. The following software versions (and later) contain the fixes:
- NetScaler ADC and Gateway 14.1: update to version 14.1-47.48
- NetScaler ADC and Gateway 13.1: update to version 13.1-59.22
- NetScaler ADC 13.1-FIPS / 13.1-NDcPP: update to version 13.1-37.241
- NetScaler ADC 12.1-FIPS / 12.1-NDcPP: update to version 12.1-55.330
Note that older firmware branches (e.g. 12.0 or 13.0) are end-of-life and will not receive patches, so administrators must upgrade to a supported version as soon as possible. CISA urges all organizations—not just U.S. federal agencies—to promptly remediate such known exploited vulnerabilities in order to reduce their exposure to cyber attacks. Organizations using NetScaler should apply the above updates immediately and ensure that the NetScaler management interface (NSIP/management IP) is not accessible from the internet. Given that CVE-2025-7775 has already been used to compromise systems, it is also advisable to perform thorough incident response on any potentially affected appliances (for example, checking for unexpected webshell files or other signs of compromise) to eliminate any attacker footholds
Sources:
