Citrix Fixes Critical NetScaler RCE Flaw Exploited in Zero-Day Attacks
Summary:
Citrix released an urgent patch yesterday to fix three critical vulnerabilities in its NetScaler ADC and NetScaler Gateway products. The most severe of these flaws is a critical RCE vulnerability, tracked as CVE-2025-7775, that was actively exploited as a zero-day. This memory overflow bug allows for unauthenticated, remote code execution on vulnerable devices. Citrix has confirmed that attacks have been observed on unpatched systems and is strongly urging customers to upgrade their NetScaler firmware immediately to a version with the fix, as there are no other mitigations available. The vulnerability affects specific configurations where NetScaler is set up as a Gateway or AAA virtual server. It also affects CR virtual server with type HDX and a few additional configurations. It should be emphasized that NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and no longer supported (they do not address the vulnerabilities in this advisory).
The other two vulnerabilities patched are a memory overflow bug that could lead to a denial-of-service (DoS) attack (CVE-2025-7776) and an improper access control issue on the NetScaler Management Interface (CVE-2025-8424). These flaws impact several versions of NetScaler ADC and Gateway. It's important to note that this isn't the first time a Citrix vulnerability has been exploited in the wild in 2025. A previous out-of-bounds memory read flaw, CVE-2025-5777 (Citrix Bleed 2), was also exploited before a public patch was available. Additionally, the NCSC released an advisory on August 13th stating they determined that multiple critical organizations in the Netherlands have been successfully attacked via exploiting CVE-2025-6543 as a zero-day in Citrix NetScaler, which has since been patched.
Security Officer Comments:
The immediate and public nature of Citrix's advisory, coupled with its strong recommendation to patch without an available workaround, signals a significant and credible threat. CISA added Citrix Bleed 2 (CVE-2025-5777) to their KEV and only gave federal agencies one day to patch the flaw. The active exploitation of CVE-2025-7775 as a zero-day vulnerability demonstrates that attackers are quick to leverage new vulnerabilities, particularly those that offer unauthenticated RCE. NetScaler is considered a high-value target for adversaries because it serves as a key component for managing and securing network traffic to optimize applications and websites for a majority of Fortune 500 companies, which represent various US critical sectors. Unfortunately, the lack of shared IOCs from Citrix could hinder organizations' ability to determine if they've already been breached in their environment before blindly upgrading to a patched version. The history of the "Citrix Bleed 2" vulnerability (CVE-2025-5777) further underscores a pattern where exploitation by threat actors precedes prompt public disclosure and patching, highlighting a generous window of opportunity for attackers and a persistent challenge for defenders. The Citrix advisory for CVE-2025-7775 shares configuration settings that can be checked to determine if your NetScaler device is using one of the vulnerable configurations.
Suggested Corrections:
Exploits of CVE-2025-7775 on unmitigated appliances have been observed.
Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.
https://www.bleepingcomputer.com/news/security/citrix-fixes-critical-netscaler-rce-flaw-exploited-in-zero-day-attacks/
https://www.netscaler.com/blog/news/critical-security-update-announced-for-netscaler-gateway-and-netscaler/
Citrix released an urgent patch yesterday to fix three critical vulnerabilities in its NetScaler ADC and NetScaler Gateway products. The most severe of these flaws is a critical RCE vulnerability, tracked as CVE-2025-7775, that was actively exploited as a zero-day. This memory overflow bug allows for unauthenticated, remote code execution on vulnerable devices. Citrix has confirmed that attacks have been observed on unpatched systems and is strongly urging customers to upgrade their NetScaler firmware immediately to a version with the fix, as there are no other mitigations available. The vulnerability affects specific configurations where NetScaler is set up as a Gateway or AAA virtual server. It also affects CR virtual server with type HDX and a few additional configurations. It should be emphasized that NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and no longer supported (they do not address the vulnerabilities in this advisory).
The other two vulnerabilities patched are a memory overflow bug that could lead to a denial-of-service (DoS) attack (CVE-2025-7776) and an improper access control issue on the NetScaler Management Interface (CVE-2025-8424). These flaws impact several versions of NetScaler ADC and Gateway. It's important to note that this isn't the first time a Citrix vulnerability has been exploited in the wild in 2025. A previous out-of-bounds memory read flaw, CVE-2025-5777 (Citrix Bleed 2), was also exploited before a public patch was available. Additionally, the NCSC released an advisory on August 13th stating they determined that multiple critical organizations in the Netherlands have been successfully attacked via exploiting CVE-2025-6543 as a zero-day in Citrix NetScaler, which has since been patched.
Security Officer Comments:
The immediate and public nature of Citrix's advisory, coupled with its strong recommendation to patch without an available workaround, signals a significant and credible threat. CISA added Citrix Bleed 2 (CVE-2025-5777) to their KEV and only gave federal agencies one day to patch the flaw. The active exploitation of CVE-2025-7775 as a zero-day vulnerability demonstrates that attackers are quick to leverage new vulnerabilities, particularly those that offer unauthenticated RCE. NetScaler is considered a high-value target for adversaries because it serves as a key component for managing and securing network traffic to optimize applications and websites for a majority of Fortune 500 companies, which represent various US critical sectors. Unfortunately, the lack of shared IOCs from Citrix could hinder organizations' ability to determine if they've already been breached in their environment before blindly upgrading to a patched version. The history of the "Citrix Bleed 2" vulnerability (CVE-2025-5777) further underscores a pattern where exploitation by threat actors precedes prompt public disclosure and patching, highlighting a generous window of opportunity for attackers and a persistent challenge for defenders. The Citrix advisory for CVE-2025-7775 shares configuration settings that can be checked to determine if your NetScaler device is using one of the vulnerable configurations.
Suggested Corrections:
Exploits of CVE-2025-7775 on unmitigated appliances have been observed.
Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.
- NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP
- NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP
https://www.bleepingcomputer.com/news/security/citrix-fixes-critical-netscaler-rce-flaw-exploited-in-zero-day-attacks/
https://www.netscaler.com/blog/news/critical-security-update-announced-for-netscaler-gateway-and-netscaler/