Citrix reported the exploitation of a critical zero-day remote code execution (RCE) flaw, along with two other high severity flaws, in NetScaler ADC and Gateway on Tuesday. The most severe vulnerability, tracked as CVE-2025-7775, was swiftly added to the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity & Infrastructure Security Agency (CISA) Tuesday. It is the third Citrix flaw to be added to the catalog within 48 hours, after CVE-2024-8068 and CVE-2024-8069 were added Monday.CVE-2025-7775 is a memory overflow that can lead to RCE or denial of service (DoS). It affects Citrix NetScaler ADC and Gateway versions 14.1 before 14.1-47.48, 13.1 before 13.1-59.22, 13.1-FIPS and NDcPP before 13.1-37.241-FIPS and NDcPP, and 12.1-FIPS and NDcPP before 12.1-55.330-FIPS and NDcPP.It also only affects instances where NetScaler is configured in one of the following ways:CVE-2025-7775 has a CVSS score of 9.2 and federal civilian executive branch (FCEB) agencies were give two days by CISA — until Aug. 28, 2025 — to mitigate the vulnerability. Citrix confirmed in its advisory that exploits of CVE-2025-7775 were observed in the wild.Citrix also disclosed the high-severity vulnerabilities CVE-2025-7776 and CVE-2025-8424 Tuesday, affecting the same Citrix NetScaler ADC and Gateway versions.CVE-2025-7776 is a memory overflow that could lead to “unpredictable or erroneous behavior” and DoS, with a CVSS score of 8.8. It only affects instances where NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) with a PCoIP Profile bounded to it.“Memory corruption vulnerabilities like CVE-2025-7775 and CVE-2025-7776 can be tricky to exploit and on the whole tend to be used by state-sponsored or other skilled adversaries in targeted attacks rather than leveraged by commodity attackers broadly,” noted VulnCheck Vice President of Security Research Caitlin Condon in an email to SC Media.CVE-2025-8424 involves improper access control on the NetScaler Management Interface and has a CVSS score of 8.7. This affects instances where there is access to NSIP, Cluster Management IP or local GSLB Site IP or SNIP with Management Access, according to Citrix. “While the Citrix advisory only explicitly mentions active exploitation of CVE-2025-7775, management interfaces for firewalls and security gateways have been targeted en masse in recent threat campaigns. It’s likely that exploit chains targeting these vulnerabilities in the future may try to combine an initial access flaw like CVE-2025-7775 with a flaw like CVE-2025-8424 with management interface compromise as a goal,” Condon added.No workarounds are available and customers are recommended to upgrade to NetScaler ADC and Gateway versions 14.1-47.48 or later, 13.1-59.22 or later releases of 13.1, 13.1-FIPS and 13.1-NDcPP release 13.1-37.241 or later, or 12.1-FIPS and 12.1-NDcPP release 12.1-55.330 or later.Citrix also noted that versions 12.1 and 13.0 are End of Life and should upgraded to one of the updated versions to ensure protection against the reported vulnerabilities.“Our analysis of Tenable telemetry data found that nearly 20% of NetScaler assets identified are on these unsupported versions,” Tenable Senior Staff Research Engineer Scott Caveza told SC Media in an email. “The greatest concentration of 13.0 devices was in North America, while 12.1 saw the greatest concentration in the APAC region. These end-of-life instances are ticking time bombs, especially given the recent exploitation history of Citrix flaws.”In addition to the three flaws added to the KEV catalog this week, a Citrix Netscaler ADC and Gateway flaw dubbed by some as “CitrixBleed 2” and tracked as CVE-2025-5777 was added to the KEV in July.The insufficient input validation and memory overread vulnerability has a CVSS score of 9.3, and the Shadowserver Foundation reported earlier this month that more than 3,000 NetScaler appliances remained vulnerable to the flaw.
- All affected versions: Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server
- NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers
- NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers
- All affected versions: CR virtual server with type HDX




