Security Advisory: Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway One Actively Exploited in Wild .

Citrix credited Jimi Sebree of Horizon3.ai, Jonathan Hetzer of Schramm & Partnerfor and Francois Hammerli for discovering and reporting the vulnerabilities.

Severity	Critical
CVSS Score	9.2
CVEs	CVE-2025-7775, CVE-2025-7776, CVE-2025-8424
POC Available	No
Actively Exploited	Yes
Exploited in Wild	Yes
Advisory Version	1.0

Overview 
A critical zero-day vulnerability, tracked as CVE-2025-7775, puts over 28,200 Citrix instances at risk worldwide.

This flaw allows attackers to run malicious code on affected systems without authentication. The issue is actively being exploited in the wild and immediate action is needed to secure systems.  Another two flaws were fixed in the latest updates.  

Vulnerability Name	CVE ID	Product Affected	Severity
Memory overflow vulnerability leading to RCE	CVE-2025-7775	NetScaler ADC & Gateway	9.2
Memory overflow vulnerability leading to unpredictable behavior	CVE-2025-7776	NetScaler ADC & Gateway	8.8
Improper access control on the NetScaler Management Interface	CVE-2025-8424	NetScaler ADC & Gateway	8.7

Technical Summary 

The NetScaler ADC and NetScaler Gateway appliances are affected by multiple critical vulnerabilities that pose significant risks ranging from Remote Code Execution (RCE) and Denial of Service (DoS) to improper access control.

These include memory overflow flaws in configurations such as VPN virtual servers, load balancing virtual servers using IPv6 or DBS IPv6 services, and misconfigurations involving PCoIP profiles. Additionally, the management interface is exposed due to weak access control mechanisms, which could allow unauthorized administrative access if attackers reach key management IP addresses like NSIP or SNIP. CISA has added one vulnerability (CVE-2025-7775) to its Known Exploited Vulnerabilities (KEV) Catalog and strongly urges organizations to apply patches immediately to prevent active exploitation. 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-7775	NetScaler ADC & Gateway	A critical memory overflow vulnerability in NetScaler ADC and Gateway that can lead to Remote Code Execution or DoS when configured as a Gateway (e.g., VPN, ICA Proxy, CVPN, RDP Proxy), AAA virtual server, or LB virtual server using IPv6 or DBS IPv6 services including CR virtual servers of type HDX.	Remote Code Execution or DoS
CVE-2025-7776	NetScaler ADC & Gateway	A memory overflow vulnerability under analysis, currently known to cause unpredictable system behavior and potential DoS when a PCoIP Profile is bound to a Gateway-configured NetScaler instance (VPN, ICA Proxy, CVPN, RDP Proxy),	Erroneous behavior and DoS
CVE-2025-8424	NetScaler ADC & Gateway	An improper access control vulnerability on the NetScaler Management Interface, allowing unauthorized access when attackers can reach management IPs (NSIP, Cluster Management IP, local GSLB Site IP, or SNIP with Management Access), affecting NetScaler ADC and Gateway appliances.	Unauthorized access

Recommendations 

NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.  

• NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases 

• NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1 

• NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP 

• NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP 

Here are some other recommendations below 

• Monitor systems for unusual activity or unauthorized changes. 

• Limit access to Citrix instances from untrusted networks. 

• Use firewalls to block suspicious traffic targeting Citrix instances. 

Conclusion: 

Combined with additional high-severity vulnerabilities the overall threat landscape demands immediate attention. Organizations are strongly urged to apply the latest patches, restrict access to management interfaces and closely monitor for signs of compromise. Delayed action could result in significant operational and security impacts. 

The active exploitation of CVE-2025-7775 highlights a critical security threat affecting multiple NetScaler ADC and Gateway instances globally. This zero-day confirmed exploitation in the wild poses a severe risk of Remote Code Execution and service disruption.

References: 

• https://gbhackers.com/over-28000-citrix-servers-at-risk/ 

• https://nvd.nist.gov/vuln/detail/CVE-2025-7775 

• https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938