Critical Vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway Under Active Exploitation

Advisory addresses three vulnerabilities that could allow for unauthenticated remote code execution, unauthorised access to the management interface, and denial-of-service. Citrix has observed exploitation of CVE-2025-7775 in the wild.

Threat ID:: CC-4695
Threat Severity:: High
Published:: 26 August 2025 3:29 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

NetScaler ADC

14.1: prior to 14.1-47.48
13.1: prior to 13.1-59.22
13.1-FIPS and NDcPP: prior to 13.1-37.241-FIPS and NDcPP
12.1-FIPS and NDcPP: prior to 12.1-55.330-FIPS and NDcPP

NetScaler Gateway

14.1: prior to 14.1-47.48
13.1: prior to 13.1-59.22

The following platforms are also known to be affected:

Secure Private Access On-Premises or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities.

Threat details

Exploitation of CVE-2025-7775

Citrix has reported exploitation of CVE-2025-7775 in the wild. The NHS England National CSOC assesses further exploitation as highly likely.

End of life (EoL) products still vulnerable

NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End of Life (EoL) and are vulnerable. Organisations using EoL versions must upgrade to the latest release of supported versions as soon as possible.

Introduction

Citrix has released a critical security bulletin addressing three vulnerabilities affecting NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Citrix NetScaler is an all-in-one load balancer, web application firewall (WAF), virtual private network (VPN) gateway and SSL offloading tool for web applications.

Vulnerability details

CVE-2025-7775 is an "improper restriction of operations within the bounds of a memory buffer" vulnerability with a CVSSv4 base score of 9.2. Successful exploitation could allow an unauthenticated attacker to execute code remotely on the NetScaler appliance. CVE-2025-7775 is under active exploitation.
CVE-2025-7776 is an "improper restriction of operations within the bounds of a memory buffer" vulnerability with a CVSSv4 base score of 8.8. Successful exploitation could allow an unauthenticated, remote attacker to cause the NetScaler appliance to exhibit unpredictable or erroneous behaviour, or to conduct a denial-of-service.
CVE-2025-8424 is an "improper access control" vulnerability with a CVSSv4 base score of 8.7. Successful exploitation could allow a remote, unauthorised attacker to gain access to the NetScaler management interface, leading to full device takeover.

Remediation advice

Affected organisations must review Citrix Security Bulletin CTX694938 and apply the relevant update as soon as possible (detailed below).

Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End of Life (EoL) and no longer supported. Organisations using EoL versions must upgrade to the latest release of supported versions as soon as possible.

Remediation steps

Type	Step
Patch	NetScaler ADC and NetScaler Gateway 14.1 Organisations must update to version 14.1-47.48 or later. https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424
Patch	NetScaler ADC and NetScaler Gateway 13.1 Organisations must update to version 13.1-59.22 or later releases of 13.1. https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424
Patch	NetScaler ADC 13.1-FIPS and 13.1-NDcPP Organisations must update to version 13.1-37.241 or later releases of 13.1-FIPS and 13.1-NDcPP. https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424
Patch	NetScaler ADC 12.1-FIPS and 12.1-NDcPP Organisations must update to version 12.1-55.330 or later releases of 12.1-FIPS and 12.1-NDcPP. https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424
Patch	NetScaler ADC and NetScaler Gateway 12.1 and 13.0 NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End of Life. Organisations must upgrade to a supported version. https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424
Patch	Secure Private Access On-Premises or Secure Private Access Hybrid deployments using NetScaler instances Organisations must upgrade these NetScaler instances to the latest release of supported versions as soon as possible. https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424

Definitive source of threat updates

https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424

CVE Vulnerabilities

Status Published

CVE-2025-7775

Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server (OR) NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers (OR) NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers (OR) CR virtual server with type HDX

Status Published

CVE-2025-7776

Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) with PCoIP Profile bounded to it

Status Published

CVE-2025-8424

Improper access control on the NetScaler Management Interface in NetScaler ADC and NetScaler Gateway when an attacker can get access to the appliance NSIP, Cluster Management IP or local GSLB Site IP or SNIP with Management Access

Last edited: 26 August 2025 3:29 pm