Citrix Addresses Critical Security Vulnerabilities in NetScaler
On August 26, 2025, Citrix announced patches for several significant security vulnerabilities affecting its NetScaler ADC and NetScaler Gateway products. Among these flaws, one has reportedly been exploited in real-world attacks, prompting immediate concern and action from the company.
Overview of the Vulnerabilities
Citrix identified three primary vulnerabilities that pose a risk to users:
-
CVE-2025-7775: Rated at a critical CVSS score of 9.2, this memory overflow vulnerability can lead to Remote Code Execution (RCE) and/or Denial-of-Service (DoS) conditions.
-
CVE-2025-7776: With a score of 8.8, this memory overflow issue can result in unpredictable behaviors that also lead to Denial-of-Service.
- CVE-2025-8424: This vulnerability, rated at 8.7 for its severity, involves improper access control to the NetScaler Management Interface.
Despite acknowledging that CVE-2025-7775 has been linked to active exploitation, Citrix refrained from providing comprehensive details regarding the incidents.
Conditions for Exploitation
For attackers to successfully exploit these vulnerabilities, certain prerequisites must be met:
CVE-2025-7775
- The NetScaler must be set up as a Gateway (e.g., VPN virtual server, ICA Proxy, CVPN, RDP Proxy).
- The device must use versions 13.1, 14.1, or their FIPS variants, specifically with LB virtual servers configured for IPv6 or for services or groups incorporating IPv6.
CVE-2025-7776
- The setup must also have the NetScaler configured as a Gateway, but with a PCoIP profile bound.
CVE-2025-8424
- Access to the NSIP, Cluster Management IP, local GSLB Site IP, or SNIP with management access is required.
Available Fixes and Updates
Citrix has made it clear that there are no workarounds for these vulnerabilities. The vulnerabilities have been patched in the following software versions:
- NetScaler ADC and NetScaler Gateway 14.1-47.48 and later
- NetScaler ADC and NetScaler Gateway 13.1-59.22 and later
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later
- NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later
Recognition of Vulnerability Discoverers
Citrix has acknowledged the contributions of several individuals who played a critical role in identifying and reporting these vulnerabilities. Jimi Sebree from Horizon3.ai, Jonathan Hetzer from Schramm & Partner, and François Hämmerli were credited for their findings.
Recent Context of Vulnerabilities
CVE-2025-7775 is the latest in a concerning trend of vulnerabilities affecting the Citrix platform. It follows closely behind other severe issues, such as CVE-2025-5777 (commonly referred to as Citrix Bleed 2) and CVE-2025-6543, which have also been leveraged in real-world cyberattacks.
Adding to the urgency of this situation was a recent announcement by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which included two additional security flaws related to Citrix Session Recording (CVE-2024-8068 and CVE-2024-8069) in its Known Exploited Vulnerabilities (KEV) catalog, underscoring the active threat landscape.
Conclusion
The landscape of cybersecurity remains precarious, particularly for enterprises relying on platforms like Citrix. As threats evolve, organizations using NetScaler ADC and Gateway should prioritize implementing these patches to mitigate risks associated with these vulnerabilities and ensure that their systems remain secure.
