Citrix released security updates for NetScaler ADC and NetScaler Gateway that address three vulnerabilities, including a critical remote code execution (RCE) flaw tracked as CVE-2025-7775. Citrix says CVE-2025-7775 is a memory overflow bug that has been observed being exploited in attacks against unpatched appliances, prompting a high-severity response from vendors and customers alike.
In its advisory, Citrix warned that the flaw can lead to unauthenticated remote code execution on vulnerable devices and recommended immediate firmware upgrades because no mitigations are available. The company shared configuration guidance so administrators can check whether their appliances use one of the vulnerable configurations.
Technical Details of CVE-2025-7775
CVE-2025-7775 is a memory overflow vulnerability that can be triggered remotely by specially crafted requests. When exploited on unpatched NetScaler devices configured in certain roles, the bug allows an unauthenticated attacker to execute code on the appliance.
Citrix’s advisory explicitly states that exploits of CVE-2025-7775 on unmitigated appliances have been observed as of August 26, 2025, and urges immediate upgrades.
Citrix did not publish indicators of compromise (IoCs) or exploit samples in the advisory. The vendor did release guidance describing the specific device configurations that can expose appliances to the flaw and recommended administrators verify their virtual server roles and service bindings.
Affected Configurations that Create Exposure
Citrix identified particular configuration scenarios that make NetScaler devices vulnerable to CVE-2025-7775. Devices are vulnerable when configured in at least one of these roles:
- NetScaler Configured as Gateway — VPN virtual server, ICA Proxy, CVPN, or RDP Proxy roles.
- NetScaler Configured as AAA Virtual Server.
- Load-Balancing Virtual Servers Bound With IPv6 Services — ADC and Gateway 13.1, 14.1, 13.1-FIPS, and NDcPP when LB virtual servers of type HTTP, SSL, or HTTP_QUIC are bound with IPv6 services or servicegroups bound with IPv6 servers.
- LB Virtual Servers Bound With IPv6 DBS Services — Same impacted releases when DBS IPv6 services or servicegroups are used.
- CR Virtual Server With Type HDX.
Citrix published configuration checks administrators can run to determine if their NetScaler instances match the vulnerable patterns. Customers should review virtual server types, service bindings, and IPv6-related configurations immediately.
Affected Versions and Required Firmware Updates
The vulnerabilities affect a range of NetScaler ADC and NetScaler Gateway releases. Citrix lists impacted builds that must be upgraded to fixed firmware versions:
- NetScaler ADC and NetScaler Gateway 14.1 — before 14.1-47.48
- NetScaler ADC and NetScaler Gateway 13.1 — before 13.1-59.22
- NetScaler ADC 13.1-FIPS and NDcPP — before 13.1-37.241-FIPS and NDcPP
- NetScaler ADC 12.1-FIPS and NDcPP — before 12.1-55.330-FIPS and NDcPP
Because Citrix notes no effective mitigations against CVE-2025-7775, the vendor “strongly recommends” that administrators apply the published updates as soon as possible.
Additional Vulnerabilities Addressed in a Recent Update
In the same advisory, Citrix also fixed two other issues affecting NetScaler devices:
- CVE-2025-7776 — a memory overflow vulnerability that can cause denial-of-service (DoS).
- CVE-2025-8424 — improper access control on the NetScaler Management Interface (NMI), which can allow unauthorized access to management functions.
Both of these issues received lower severity ratings than the RCE flaw but are part of the same patch cycle. Admins should apply updates that address all three CVEs to ensure comprehensive protection.
Vendor Credit, Disclosure, and Inquiries
Citrix credited the disclosure of the flaws to multiple researchers: Jimi Sebree of Horizon3.ai, Jonathan Hetzer of Schramm & Partner, and François Hämmerli. The advisory does not specify which researcher reported which bug. BleepingComputer contacted Citrix and Cloud Software Group with additional questions about observed exploitation of CVE-2025-7775 and will update reporting if the vendor provides further details.
No Mitigations Means Immediate Firmware Rollout is Critical
Citrix emphasizes that CVE-2025-7775 has no available mitigations, which raises the urgency for administrators to schedule immediate firmware upgrades. Where rapid patching is operationally difficult, organizations should consider isolating NetScaler instances, restricting administrative network access, and applying compensating network controls until updates can be installed.
Because the RCE vector is unauthenticated and remote, exposed appliances present a high risk that can result in full takeover of the device and potential pivoting into internal networks.
Historical Context: Citrix Bleed 2 and Prior Active Exploitation
This advisory follows recent Citrix incidents. In June 2025, Citrix disclosed an out-of-bounds memory read vulnerability tracked as CVE-2025-5777, nicknamed “Citrix Bleed 2.” That flaw allowed attackers to read sensitive memory and was actively exploited roughly two weeks before a public proof-of-concept appeared in July, despite initial vendor statements that no exploitation evidence existed at the time.
The CVE-2025-7775 disclosure and the observed attacks show a continued pattern of attackers quickly weaponizing Citrix product flaws. Enterprises that use NetScaler ADC and NetScaler Gateway should therefore treat firmware updates as high priority.
Enterprise Impact and Operational Considerations
NetScaler ADC and NetScaler Gateway appliances commonly sit at the network edge and perform VPN, proxy, load balancing, and remote access roles. A successful exploit of CVE-2025-7775 can therefore have serious operational and security consequences, including:
- Unauthorized administrative access to edge devices.
- Disruption of remote access and VPN services for employees.
- Potential for attackers to use compromised appliances as staging points for lateral movement.
- Exposure of network traffic and interception of sessions handled by the appliance.
Given this impact profile, security and network teams should coordinate patch windows with business stakeholders and treat these updates as emergency changes where possible.
Recommended Actions for Administrators
Administrators managing NetScaler ADC and NetScaler Gateway appliances should:
- Inventory NetScaler Instances Immediately — confirm product versions and installed builds.
- Apply Citrix Firmware Updates — upgrade to the patched builds Citrix published for the affected releases.
- Verify Configurations — check whether instances match the vulnerable configurations Citrix described (Gateway roles, AAA virtual servers, IPv6 LB bindings, HDX CR servers).
- Isolate or Restrict Access — if immediate patching is not feasible, limit network exposure and administrative access to the appliances.
- Monitor for Suspicious Activity — review appliance logs, VPN session anomalies, unexpected configuration changes, and any signs of post-exploitation behavior.
- Coordinate With Incident Response — involve security ops and incident response teams to be ready for forensic analysis if exploitation is suspected.
Citrix’s patch release addresses a critical unauthenticated remote code execution vulnerability, CVE-2025-7775, that the vendor says has been observed being exploited in the wild. The update also fixes a denial-of-service memory overflow (CVE-2025-7776) and an NMI access control issue (CVE-2025-8424). Because Citrix reports no available mitigations for the RCE flaw, administrators should prioritize firmware updates for NetScaler ADC and NetScaler Gateway appliances that match the impacted versions and configurations. The advisory follows recent Citrix vulnerability incidents and reinforces the need for rapid patch management on edge network devices.
