Citrix has issued patches in order to fix three newly-designated common vulnerabilities and exposures (CVEs) in the widely used NetScaler Application Delivery Controller (ADC) and NetScaler Gateway lines, at least one of which is known to be under active exploitation by an undisclosed threat actor.
The trio of bugs, which are tracked as CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424 are, respectively, a memory overflow vulnerability that leads either to pre-authentication remote code execution (RCE) or denial of service (DoS), or both; another memory overflow vulnerability that gives rise to unexpected behaviour and DoS; and an access control vulnerability in NetScaler’s management interface.
“Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible,” said Citrix in a statement. The supplier added that there are no effective workarounds.
Per independent security analyst Kevin Beaumont, of the three flaws CVE-2025-7775 appears to be the most immediately dangerous issue. Citrix also confirmed talk of exploitation, noting in its advisory that: “Exploits of CVE-2025-7775 on unmitigated appliances have been observed”.
Commenting on the latest disclosure, Benjamin Harris, CEO and founder of watchTowr, said: “Well, well, well… another day ending in ‘day.’ Once again, we’re seeing new vulnerabilities in Citrix NetScaler facilitating total compromise, with CVE-2025-7775 already being actively exploited to deploy backdoors.
“Patching is critical, but patching alone won’t cut it. Unless organisations urgently review for signs of prior compromise and deployed backdoors, attackers will still be inside. Those that only patch will remain exposed,” he added.
No further information about the observed incidents, or whom they may have affected, has yet come to light. This said, the significance of NetScaler – which provides application delivery and secure remote access for internal- and external-facing applications – to many enterprises means that any vulnerabilities in the products are frequently a prime target for threat actors, particularly ransomware gangs.
This is borne out by the not-infrequent cadence of vulnerability disclosures impacting NetScaler. Earlier this summer Citrix fixed CVE-2025-5777, a flaw that enabled a threat actor to circumvent authentication measures by inputting malicious requests to steal a valid session token from memory.
Due to its similarity to the Citrix Bleed issues of 2023, CVE-2025-5777 quickly earned the nickname Citrix Bleed 2, and it was swiftly exploited by threat actors, although at the time of writing it does not appear to have been named in any major confirmed or attributed cyber attacks.
‘Tricky to exploit’
On a positive note, VulnCheck vice president of security research, Caitlin Condon, said memory corruption flaws such as CVE-2025-7775 and CVE-2025-7776 were generally somewhat “tricky to exploit” and as such, tend to be used either by exceptionally highly-skilled adversaries or more commonly, state-sponsored threat actors, as opposed to more commodity attackers.
As a case in point, Condon told Computer Weekly in emailed comments, another NetScaler flaw, CVE-2025-6543 with a similar description to CVE-2025-7775 has yet to see exploitation at scale despite having been rattling around since the end of June.
But, she added, this does not mean patching should be any less of a priority, particularly given recent trends.
“While the Citrix advisory only explicitly mentions active exploitation of CVE-2025-7775, management interfaces for firewalls and security gateways have been targeted en masse in recent threat campaigns,” said Condon.
“It’s likely that exploit chains targeting these vulnerabilities in the future may try to combine an initial access flaw like CVE-2025-7775 with a flaw like CVE-2025-8424 with management interface compromise as a goal. Vulnerability response prioritisation should include CVE-2025-8424 rather than being limited to the higher-severity, but harder-to-exploit, memory corruption CVEs alone,” she said.
