CVE-2025-7775: Citrix Zero-Day Exploit Hits NetScaler Devices
A newly discovered zero-day vulnerability in Citrix NetScaler devices, tracked as CVE-2025-7775, is already being exploited in the wild, prompting federal agencies and enterprise defenders to act fast. What’s at risk isn’t just system availability but full compromise of critical infrastructure. Here’s what you need to know, and what you must do next.
What Is CVE-2025-7775?
CVE-2025-7775 (CVSSv4 9.2) stems from improper memory handling, classified under CWE-119. It affects multiple versions of NetScaler ADC and NetScaler Gateway and can allow a remote, unauthenticated attacker to execute arbitrary code or cause a Denial-of-Service (DoS) condition without any user interaction.
The fact that this flaw does not require valid credentials or prior access makes it particularly dangerous for internet-facing devices.
Details of CVE-2025-7775 (SOCRadar Vulnerability Intelligence)
Affected Configurations and Exploitation Status
While Citrix noted that successful exploitation requires specific configurations, the reality is many production environments already match these criteria. Devices functioning as VPN gateways, handling IPv6-bound HTTP/SSL/QUIC load-balancing traffic, or operating HDX content routing are open to exploitation.
The vulnerability is already being actively used in attacks. It can be triggered remotely, before any authentication occurs, which increases the risk to internet-facing systems. In some observed cases, attackers have deployed webshells post-compromise, establishing persistent access for further exploitation.
Security researcher Kevin Beaumont reported that the majority of internet-facing NetScaler devices remain unpatched, leaving a wide attack surface open to adversaries.
Researcher reports a 16% patch rate so far (Mastodon)
In parallel, Jimi Sebree from Horizon3.ai emphasized that these flaws impact similar components as previous CitrixBleed vulnerabilities, making exploitation relatively straightforward. He warned that attackers could easily locate exposed NetScaler systems online and stressed the urgency of patching before damage escalates.
How to Check If You Are Exposed
Citrix has provided configuration clues that admins can use to verify exposure. Key indicators include:
- Presence of add vpn vserver, add authentication vserver, or add cr vserver HDX
- Load balancers using IPv6 service bindings
- Use of domain-based queries for AAAA records
- Appliances configured with PCoIP profiles
See further details in Citrix’s official security bulletin (CTX694938).
Additional Vulnerabilities Disclosed
While CVE-2025-7775 has drawn most attention due to its active exploitation, two more high-severity vulnerabilities were also patched:
CVE-2025-7776: Memory Handling Flaw
- Severity: 8.8
- Risk: DoS or erratic behavior on appliances using PCoIP profiles
- Cause: Similar memory overflow issue, affecting different configuration setups
CVE-2025-8424: Improper Access Control
- Severity: 8.7
- Risk: Potential unauthorized access via the management interface
- Vector: Internal IPs with management access enabled (e.g., NSIP, SNIP)
Security experts warn that while CVE-2025-7775 allows initial access, attackers could combine it with CVE-2025-8424 for deeper system control.
SOCRadar’s Vulnerability Intelligence
Vulnerability Intelligence, part of SOCRadar’s Cyber Threat Intelligence module, empowers security teams to detect, prioritize, and act on emerging threats before they hit.
With it, you can:
- Monitor exploited and trending CVEs like CVE-2025-7775 in real-time
- Correlate vulnerabilities with your tech stack for rapid risk assessment
- Receive contextual alerts tailored to your environment
Combine it with the Attack Surface Management (ASM) module to:
- Map exposed assets instantly
- Identify which systems are truly at risk
- Strengthen proactive defense across your digital footprint
What Systems Are Affected?
The following builds are vulnerable:
- NetScaler ADC and Gateway 14.1: before 14.1-47.48
- NetScaler ADC and Gateway 13.1: before 13.1-59.22
- FIPS/NDcPP versions of 13.1 and 12.1
- Secure Private Access deployments using NetScaler
Citrix notes that versions 12.1 and 13.0 are end-of-life and no longer supported. These must be upgraded to supported branches immediately.
No Workarounds; Patch Immediately
Citrix has confirmed no workarounds or mitigating factors. Organizations must upgrade to the fixed builds without delay. Updated builds include:
- 14.1-47.48 or newer
- 13.1-59.22 or newer
- 13.1-37.241 (FIPS/NDcPP)
- 12.1-55.330 (FIPS/NDcPP)
Furthermore, CISA has instructed U.S. federal agencies to apply the patch by August 28, 2025, following the addition of CVE-2025-7775 to the Known Exploited Vulnerabilities (KEV) catalog.
