Citrix disclosed a critical zero-day vulnerability (CVE-2025-7775) in its NetScaler ADC and NetScaler Gateway products, actively exploited in the wild as of August 26, 2025. The flaw—a memory overflow bug—enables unauthenticated remote code execution (RCE) on unpatched devices, posing severe risks to organizations relying on these appliances for secure access. While Citrix did not provide indicators of compromise (IoCs), they confirmed exploitation on systems configured as Gateway (VPN, ICA Proxy, RDP Proxy), AAA virtual servers, or specific load-balancing (LB) setups with IPv6 bindings. No mitigations exist, forcing immediate patching to versions 14.1-47.48, 13.1-59.22, or later.The vulnerability’s exploitation could allow attackers to gain full control over affected systems, potentially leading to lateral movement, data exfiltration, or deployment of malware/ransomware. Citrix also patched two other flaws: a DoS vulnerability (CVE-2025-7776) and an improper access control issue (CVE-2025-8424), further compounding risks. Historical context—such as the prior Citrix Bleed 2 (CVE-2025-5777) exploit—highlights the company’s recurring exposure to high-severity attacks targeting memory corruption. Failure to patch could result in widespread breaches, operational disruptions, or supply-chain attacks given NetScaler’s role in enterprise networks.
TPRM report: https://www.rankiteo.com/company/citrix
"id": "cit806082725",
"linkid": "citrix",
"type": "Vulnerability",
"date": "8/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Enterprise Software / Virtualization',
'location': 'Global (HQ: Fort Lauderdale, Florida, '
'USA)',
'name': 'Citrix (Cloud Software Group)',
'type': 'Corporation'}],
'attack_vector': ['Network', 'Unauthenticated Remote Exploitation'],
'customer_advisories': ['Configuration checks provided to identify vulnerable '
'systems'],
'date_detected': '2025-08-26',
'date_publicly_disclosed': '2025-08-26',
'description': 'Citrix patched three vulnerabilities in NetScaler ADC and '
'NetScaler Gateway, including a critical zero-day remote code '
'execution (RCE) flaw (CVE-2025-7775) actively exploited in '
'attacks. The flaw is a memory overflow bug allowing '
'unauthenticated RCE on unpatched devices. Two additional '
'flaws were addressed: a denial-of-service (DoS) vulnerability '
'(CVE-2025-7776) and an improper access control issue on the '
'Management Interface (CVE-2025-8424). No mitigations are '
'available; Citrix urges immediate firmware updates. The '
'vulnerabilities affect specific configurations of NetScaler '
'Gateway, AAA virtual servers, and load-balancing (LB) virtual '
'servers with IPv6 bindings. Earlier in June, Citrix disclosed '
"another actively exploited flaw, CVE-2025-5777 ('Citrix Bleed "
"2'), involving out-of-bounds memory read attacks.",
'impact': {'brand_reputation_impact': ['Potential reputational damage due to '
'zero-day exploitation'],
'operational_impact': ['Potential unauthorized remote code '
'execution',
'Denial of Service (DoS) risks',
'Unauthorized access to management '
'interfaces'],
'systems_affected': ['NetScaler ADC (versions 12.1, 13.1, 14.1)',
'NetScaler Gateway (versions 13.1, 14.1)',
'NetScaler ADC 13.1-FIPS and NDcPP',
'NetScaler ADC 12.1-FIPS and NDcPP']},
'investigation_status': 'Ongoing (Citrix monitoring for exploitation; no IoCs '
'shared yet)',
'post_incident_analysis': {'corrective_actions': ['Released patched firmware '
'versions',
'Public disclosure and '
'urgency warnings'],
'root_causes': ['Memory overflow vulnerability '
'(CVE-2025-7775)',
'Lack of mitigations for zero-day '
'exploitation']},
'recommendations': ['Immediately apply firmware updates to NetScaler ADC and '
'Gateway devices.',
'Audit configurations for vulnerable setups (e.g., IPv6 '
'bindings, Gateway/AAA virtual servers).',
'Monitor for indicators of compromise (IoCs) related to '
'CVE-2025-7775 exploitation.',
'Review and harden NetScaler Management Interface access '
'controls.'],
'references': [{'date_accessed': '2025-08-26',
'source': 'Citrix Advisory (Cloud Software Group)'},
{'date_accessed': '2025-08-26',
'source': 'BleepingComputer Article'},
{'source': 'Horizon3.ai (Jimi Sebree)'},
{'source': 'Schramm & Partner (Jonathan Hetzer)'},
{'source': 'François Hämmerli (Independent Researcher)'}],
'response': {'communication_strategy': ['Public advisory',
'Blog post',
'Media outreach (e.g., '
'BleepingComputer)'],
'containment_measures': ['Urgent advisory released',
'Configuration checks provided to '
'identify vulnerable systems'],
'incident_response_plan_activated': True,
'remediation_measures': ['Firmware updates released (versions '
'14.1-47.48, 13.1-59.22, etc.)',
'No mitigations available; patching is '
'mandatory']},
'stakeholder_advisories': ['Public advisory urging immediate patching'],
'title': 'Critical Remote Code Execution Flaw (CVE-2025-7775) in Citrix '
'NetScaler ADC and Gateway',
'type': ['Vulnerability Exploitation',
'Zero-Day Attack',
'Remote Code Execution (RCE)',
'Denial of Service (DoS)',
'Improper Access Control'],
'vulnerability_exploited': [{'affected_versions': ['NetScaler ADC and Gateway '
'14.1 (before 14.1-47.48)',
'NetScaler ADC and Gateway '
'13.1 (before 13.1-59.22)',
'NetScaler ADC 13.1-FIPS '
'and NDcPP (before '
'13.1-37.241-FIPS and '
'NDcPP)',
'NetScaler ADC 12.1-FIPS '
'and NDcPP (before '
'12.1-55.330-FIPS and '
'NDcPP)'],
'cve_id': 'CVE-2025-7775',
'description': 'Unauthenticated remote code '
'execution on vulnerable '
'NetScaler devices.',
'severity': 'Critical',
'type': 'Memory Overflow',
'vulnerable_configurations': ['NetScaler '
'configured as '
'Gateway (VPN '
'virtual server, '
'ICA Proxy, CVPN, '
'RDP Proxy) or AAA '
'virtual server',
'LB virtual '
'servers (HTTP, '
'SSL, HTTP_QUIC) '
'bound with IPv6 '
'services/service '
'groups',
'LB virtual '
'servers (HTTP, '
'SSL, HTTP_QUIC) '
'bound with DBS '
'IPv6 '
'services/service '
'groups',
'CR virtual server '
'with type HDX']},
{'affected_versions': ['NetScaler ADC and Gateway '
'14.1 (before 14.1-47.48)',
'NetScaler ADC and Gateway '
'13.1 (before 13.1-59.22)',
'NetScaler ADC 13.1-FIPS '
'and NDcPP (before '
'13.1-37.241-FIPS and '
'NDcPP)',
'NetScaler ADC 12.1-FIPS '
'and NDcPP (before '
'12.1-55.330-FIPS and '
'NDcPP)'],
'cve_id': 'CVE-2025-7776',
'description': 'Denial of Service (DoS) '
'vulnerability.',
'type': 'Memory Overflow'},
{'affected_versions': ['NetScaler ADC and Gateway '
'14.1 (before 14.1-47.48)',
'NetScaler ADC and Gateway '
'13.1 (before 13.1-59.22)',
'NetScaler ADC 13.1-FIPS '
'and NDcPP (before '
'13.1-37.241-FIPS and '
'NDcPP)',
'NetScaler ADC 12.1-FIPS '
'and NDcPP (before '
'12.1-55.330-FIPS and '
'NDcPP)'],
'cve_id': 'CVE-2025-8424',
'description': 'Vulnerability in the NetScaler '
'Management Interface.',
'type': 'Improper Access Control'},
{'cve_id': 'CVE-2025-5777',
'description': "Dubbed 'Citrix Bleed 2'; allows "
'attackers to access sensitive '
'information in memory. Actively '
'exploited in June 2025.',
'type': 'Out-of-Bounds Memory Read'}]}