Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Citrix has advised its customers of multiple vulnerabilities in NetScaler ADC and NetScaler Gateway appliances, recommending urgent action.
Cloud computing firm Citrix published an advisory overnight warning of three vulnerabilities in its NetScaler ADC and NetScaler Gateway devices, one of which is being actively exploited in the wild.
CVE-2025-7775, the vulnerability that hackers are already targeting, is a memory overflow vulnerability that could lead to remote code execution and/or denial of service.
CVE-2025-7776 is a memory overflow vulnerability that could lead to unpredictable or erroneous behaviour and denial of service, while CVE-2025-8424 could result in improper access control on the NetScaler Management Interface.
The vulnerabilities affect the following versions:
Updates are available that address all three vulnerabilities, although Citrix does note that NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now end-of-life and no longer supported. Citrix recommends that all customers upgrade to a supported version as soon as possible.
There are no other workarounds other than patching, and the US Cybersecurity and Infrastructure Security Agency has already added CVE-2025-7775 to its Known Exploited Vulnerability Catalog.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” CISA warned in its own advisory.
Scott Caveza, senior staff research engineer at Tenable, said that this vulnerability could adversely affect organisations in the APAC region.
“While patches are available for supported versions of NetScaler ADC and Gateway devices, Citrix notes that versions 12.0 and 13.1 are end-of-life and no longer supported. Our analysis of Tenable telemetry data found that nearly 20 per cent of NetScaler assets identified are on these unsupported versions. The greatest concentration of 13.0 devices was in North America, while 12.1 saw the greatest concentration in the APAC region. These end-of-life instances are ticking time bombs, especially given the recent exploitation history of Citrix flaws,” Caveza said.
“CVE-2025-7775 can be exploited by an unauthenticated attacker to achieve remote code execution or cause a denial of service condition. While Citrix has not provided details on the breadth and depth of exploitation, they do note that this flaw has already been exploited. Given attackers’ interest in past Citrix vulnerabilities, including the widely abused original CitrixBleed (CVE-2023-4966), it’s very likely that ransomware gangs or other advanced persistent threat groups will soon capitalise on this flaw.”
Benjamin Harris, CEO & Founder of watchTowr, was a little more biting in his response.
“Well, well, well… another day ending in ‘day.’ Once again, we’re seeing new vulnerabilities in Citrix Netscaler facilitating total compromise, with CVE-2025-7775 already being actively exploited to deploy backdoors,” Harris said.
“Patching is critical, but patching alone won’t cut it. Unless organisations urgently review for signs of prior compromise and deployed backdoors, attackers will still be inside. Those that only patch will remain exposed.”
Caitlin Condon, VP of security research at VulnCheck, added that while CVE-2025-7775 is dangerous in isolation, if chained with one of the other newly revealed vulnerabilities, it could be even more devastating.
“While the Citrix advisory only explicitly mentions active exploitation of CVE-2025-7775, management interfaces for firewalls and security gateways have been targeted en masse in recent threat campaigns,” Condon said.
“It's likely that exploit chains targeting these vulnerabilities in the future may try to combine an initial access flaw like CVE-2025-7775 with a flaw like CVE-2025-8424 with management interface compromise as a goal. Vulnerability response prioritisation should include CVE-2025-8424 rather than being limited to the higher-severity (but harder-to-exploit) memory corruption CVEs alone.”
You can read Citrix’s full advisory here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
