Citrix NetScaler ADC and Gateway Zero-Day Remote Code Execution (CVE-2025-7775)
September 2nd, 2025
Critical
Our Cyber Threat Intelligence Unit is monitoring CVE-2025-7775, a critical pre-authentication remote code execution (RCE) and denial-of-service (DoS) vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances. Citrix has confirmed active exploitation of this zero-day targeting internet-facing appliances. No vendor mitigations are available, so applying patches to update the impacted builds is critical. This vulnerability highlights the ongoing targeting of Citrix infrastructure by sophisticated threat actors, emphasizing the need for proactive patch management to reduce exposure across authentication and load-balancing infrastructure.
Technical Details
Attack Type: Remote Code Execution / Denial of Service
Severity: Critical (CVSS v3.1 9.8 / CVSS v4.0 9.2)
CVE ID: CVE-2025-7775
Vulnerability Class: Memory/buffer overflow (CWE-119)
Affected Products: NetScaler ADC, NetScaler Gateway
Affected Versions:
14.1 before 14.1-47.48
13.1 before 13.1-59.22
13.1-FIPS and NDcPP before 13.1-37.241
12.1-FIPS and NDcPP before 12.1-55.330
Exploitation Preconditions (any of the following):
Appliance configured as Gateway (VPN, ICA Proxy, CVPN, RDP Proxy) or AAA vserver.
IPv6 load-balancing vservers of type HTTP/SSL/HTTP_QUIC bound to IPv6 services/servicegroups.
Load-balancing vservers of type HTTP/SSL/HTTP_QUIC bound to DBS IPv6 servicegroups.
CR vservers with type HDX.
Attackers exploit the overflow by sending specially crafted requests to these exposed services, allowing unauthenticated execution of arbitrary code.
Impact
Complete compromise of affected appliances, enabling arbitrary code execution.
Denial of Service (DoS) and service outages through appliance crashes.
Pivoting potential into internal networks from a compromised appliance.
Credential/session theft via hijacked Gateway services.
Business continuity risk given NetScaler’s role in authentication, VPN, and load balancing.
Detection Method
Version Identification: Flag any appliances running below:
14.1-47.48, 13.1-59.22, 13.1-37.241 (FIPS/NDcPP), or 12.1-55.330 (FIPS/NDcPP)
Configuration Review: Inspect ns.conf for:
add vpn vserver (Gateway)
add authentication vserver (AAA)
add lb vserver .* (HTTP|SSL|HTTP_QUIC) with IPv6 bindings
add cr vserver .* HDX
Log & Traffic Analysis:
Look for anomalous requests to /vpn/ and /aaa/ endpoints.
Review IPv6 request patterns to load-balancing services.
Investigate appliance crash reports or unexpected restarts.
Monitor for unusual administrative command executions.
Indicators of Compromise
There are No Indicators of Compromise (IOCs) for this Advisory.
Recommendations
Upgrade immediately to fixed builds:
14.1-47.48+
13.1-59.22+
13.1-FIPS/NDcPP 13.1-37.241+
12.1-FIPS/NDcPP 12.1-55.330+
Standard 12.1 releases remain EOL; migrate to a supported version.
Reduce attack surface: Remove internet exposure of NSIP/management interfaces. Restrict admin access to trusted networks and enforce MFA.
Enhance monitoring: Add alerting for abnormal AAA/Gateway traffic and appliance instability.
Incident response: If compromise is suspected, isolate the device. Collect technical support bundles for forensic review and analysis. Rotate credentials and tokens proxied through the appliance.
Conclusion
CVE-2025-7775 is an actively exploited, critical severity NetScaler vulnerability with no available workarounds. Since exploitation only requires common Gateway/AAA or IPv6 LB configurations, unpatched appliances present a high-value target for threat actors. We urge organizations to patch immediately, limit exposure, and continually monitor for signs of exploitation to protect themselves against risks associated with this vulnerability.