A critical Citrix vulnerability is under active attack in the wild. Memory corruption bug CVE-2025-7775 (CVSS 9.2) affects NetScaler ADC and NetScaler Gateway in common configurations and gives an attacker RCE.

Citrix’s somewhat thin advisory can be found here. Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are affected by the vulnerabilities, as are the versions below:

  • NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.48
  • NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.22
  • NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.241-FIPS and NDcPP
  • NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.330-FIPS and NDcPP

CVE-2025-7775 should not be confused with July’s CVE-2025-5777 – also exploited in the wild, including by ransomware groups and dubbed “Citrix Bleed 2.0”; a reference to CVE-2023-4966, which was exploited by ransomware gangs to hack Boeing and the world’s largest bank, ICBC.

The addition Tuesday of CVE-2025-7775 to CISA’s known exploited catalogue makes it the fifth Citrix bug to be added to KEV this year. 

Netscaler bugs galore

Citrix also pushed patches for CVE-2025-8424, a CVSS 8.7 bug that gives “Improper access control on the NetScaler Management Interface” and CVE-2025-7776, a CVSS 8.8 bug also affecting Netscaler Gateway.

Citrix’s security advisory offers precious little information to defenders on threat hunting; we refer readers to Horizon3.ai’s July 7 blog, which noted that “publishing security advisories for such critical issues with such limited information only serves to hurt defenders and threat hunters…”

“At worst, it leaves organizations scrambling and wondering if they’ve fallen victim to the issue, even after patches have been applied since there’s no way to really know what to look for in their environments.”

See also: 1 Citrix bug alone triggered 13 “nationally significant” UK cybersecurity incidents

The vulnerability is one of two patched by Citrix on August 26 – credit was attributed to a trio of security researchers; Jimi Sebree of Horizon3.ai, Jonathan Hetzer, of Schramm & Partnerfor and François Hämmerli.

Caitlin Condon, VP of security research at VulnCheck noted that “memory corruption vulnerabilities like CVE-2025-7775 and CVE-2025-7776 can be tricky to exploit and on the whole tend to be used by state-sponsored or other skilled adversaries in targeted attacks… Another recent Citrix NetScaler vulnerability VulnCheck research has tracked, CVE-2025-6543, has a description almost identical to CVE-2025-7775 (though CVE-2025-6543 has a narrower range of vulnerable configurations) and has yet to see exploitation at scale despite being on… KEV since June 25.”

They added: “While the Citrix advisory only explicitly mentions active exploitation of CVE-2025-7775, management interfaces for firewalls and security gateways have been targeted en masse in recent threat campaigns. It's likely that exploit chains targeting these vulnerabilities in the future may try to combine an initial access flaw like CVE-2025-7775 with a flaw like CVE-2025-8424 with management interface compromise as a goal. Vulnerability response prioritization should include CVE-2025-8424 rather than being limited to the higher-severity (but harder-to-exploit) memory corruption CVEs alone.”

More when we have it? In incident response and seeking exploitation? We'd love to know more about what you're seeing.

The link has been copied!