Urgent: NetScaler Zero-Day Exploit Actively Attacked (CVE-2025-7775)
▼ Summary
– Three vulnerabilities (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424) affect Citrix NetScaler ADC and Gateway devices, with CVE-2025-7775 already exploited in zero-day attacks.
– CVE-2025-7775 is a memory overflow flaw enabling pre-auth remote code execution or denial of service, while CVE-2025-8424 involves improper access control on the management interface.
– These vulnerabilities impact specific versions of NetScaler ADC and Gateway, including 14.1 before 14.1-47.48 and 13.1 before 13.1-59.22, with no available workarounds.
– CISA has added CVE-2025-7775 to its Known Exploited Vulnerabilities catalog, requiring US federal agencies to patch by August 28, 2025.
– Security researchers note that many internet-facing devices remain unpatched, and exploitation is likely targeted by skilled adversaries rather than broad commodity attacks.
A critical security alert has been issued for Citrix NetScaler ADC and Gateway devices following the discovery of three new vulnerabilities, one of which is already being exploited in active attacks. Designated as CVE-2025-7775, this flaw allows unauthorized remote code execution and denial of service, posing an immediate threat to organizations using affected systems. Citrix has confirmed that exploits targeting unpatched appliances are underway and has released security updates to address all three issues.
The vulnerabilities include CVE-2025-7775, a memory overflow issue enabling pre-authentication remote code execution or denial of service; CVE-2025-7776, another memory overflow flaw causing unpredictable behavior and service disruption; and CVE-2025-8424, which involves improper access control on the NetScaler management interface. Each of these can be exploited, but only on devices configured with specific functions. Affected versions include NetScaler ADC and Gateway 14.1 before 14.1-47.48, 13.1 before 13.1-59.22, and several FIPS and NDcPP builds.
Citrix emphasizes that Secure Private Access on-prem or hybrid deployments using NetScaler are also vulnerable and must be upgraded immediately. There are no available workarounds, making prompt patching essential. Users of unsupported versions like 12.1 and 13.0 are strongly advised to migrate to a currently supported release.
Security researcher Kevin Beaumont has reported that attackers are leveraging CVE-2025-7775 to deploy webshells, creating backdoors into targeted networks. He warns that organizations will need to conduct incident response as technical details about the backdoor emerge. This incident continues a troubling pattern for Citrix, which has faced multiple exploited zero-days this year, including CVE-2025-6543 and CVE-2025-5777 (CitrixBleed 2), both actively abused for months before patches were available.
In response to the escalating threat, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-7775 to its Known Exploited Vulnerabilities catalog. Federal civilian agencies have been directed to apply fixes by August 28. Despite this urgency, Beaumont noted that a significant number of internet-facing NetScaler devices remain unpatched.
According to Caitlin Condon, VP of Research at VulnCheck, approximately 14,300 Citrix NetScaler instances were exposed to the public internet when the vulnerabilities were disclosed. She highlighted that memory corruption flaws like CVE-2025-7775 and CVE-2025-7776 are often exploited by skilled or state-sponsored actors in targeted campaigns rather than broad attacks. Condon also cautioned that while only CVE-2025-7775 is currently under active exploitation, future attack chains may combine it with CVE-2025-8424 to compromise management interfaces. She advises organizations to prioritize patching for all three vulnerabilities, not just the memory corruption issues.
Staying informed about emerging threats is crucial for maintaining cybersecurity readiness. Subscribing to timely breach and vulnerability alerts can help organizations respond swiftly to critical issues.
(Source: HelpNet security)
