Citrix rushes fixes for three NetScaler bugs — one’s already being exploited
Citrix has released patches for three security flaws in NetScaler ADC and NetScaler Gateway. One of them—CVE-2025-7775 (CVSS 9.2)—is already being actively exploited. The others are CVE-2025-7776 (CVSS 8.8) and CVE-2025-8424 (CVSS 8.7).
• 7775/7776 are memory overflow bugs that can lead to remote code execution or denial-of-service under certain configurations (notably Gateway/AAA use, and for 7776, when a PCoIP profile is bound).
• 8424 is improper access control on the management interface (requires access to NSIP/Cluster/GSLB/SNIP with management enabled).
• No workarounds are available; admins must upgrade to fixed versions:
14.1-47.48+, 13.1-59.22+, 13.1-FIPS/NDcPP 13.1-37.241+, 12.1-FIPS/NDcPP 12.1-55.330+. The U.S. CISA has added CVE-2025-7775 to its Known Exploited Vulnerabilities catalogue and ordered federal agencies to remediate within 48 hours. Citrix credited researchers from Horizon3.ai, Schramm & Partner, and François Hämmerli.
If you run NetScaler ADC or NetScaler Gateway, now’s the time for that upgrade you’ve been putting off. Citrix has patched three vulnerabilities, including one that attackers are actively exploiting in the wild. No pressure.
What’s affected?
• CVE-2025-7775 (CVSS 9.2) – memory overflow that can enable remote code execution or a service-knockout. Risk climbs when NetScaler is used as a Gateway/AAA or certain IPv6-bound load-balancer setups.
• CVE-2025-7776 (CVSS 8.8) – another memory overflow, bites when a PCoIP profile is bound to a Gateway.
• CVE-2025-8424 (CVSS 8.7) – improper access control on the management interface (NSIP/Cluster/GSLB/SNIP) if management access is enabled.
Fixed versions (no workarounds)
• 14.1-47.48+
• 13.1-59.22+
• 13.1-FIPS / 13.1-NDcPP: 13.1-37.241+
• 12.1-FIPS / 12.1-NDcPP: 12.1-55.330+
There are no temporary mitigations, so updating is the only sensible move (short of unplugging the thing and going for a brew).
Why you should move quickly
The big one, CVE-2025-7775, is under active exploitation and has already landed on CISA’s KEV list with a 48-hour fix mandate for U.S. federal agencies. Translation: attackers know about it, and they read patch notes too.
What to do today
1. Upgrade to a fixed build from the list above.
2. Lock down the management plane — restrict NSIP/Cluster/GSLB/SNIP access to trusted admin networks only.
3. Review your Gateway/AAA and PCoIP settings, especially if you’re using IPv6 or have LB virtual servers matching the affected scenarios.
4. Monitor for odd crashes, spikes, or unauthorised sessions; investigate promptly.
Stay current, stay calm, and maybe schedule fewer “we’ll patch it next week” meetings.
(Source: vendor advisory and CISA notice.)