Citrix has recently released patches to rectify three security vulnerabilities in its NetScaler Application Delivery Controller (ADC) and NetScaler Gateway products. Notably, one of these vulnerabilities, identified as CVE-2025-7775, has been actively exploited in real-world scenarios.
Detailed Overview of the Vulnerabilities:
1. CVE-2025-7775: This critical vulnerability, with a Common Vulnerability Scoring System (CVSS) score of 9.2, is a memory overflow issue. If exploited, it can lead to remote code execution (RCE) and/or a denial-of-service (DoS) condition. For this vulnerability to be exploited, the NetScaler must be configured in specific ways, such as:
– As a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
– Load Balancing (LB) virtual servers of type HTTP, SSL, or HTTP_QUIC bound with IPv6 services or service groups bound with IPv6 servers.
– LB virtual servers of type HTTP, SSL, or HTTP_QUIC bound with Database Services (DBS) IPv6 services or service groups bound with IPv6 DBS servers.
– Content Routing (CR) virtual server with type HDX.
2. CVE-2025-7776: With a CVSS score of 8.8, this memory overflow vulnerability can result in unpredictable behavior and DoS. Exploitation requires the NetScaler to be configured as a Gateway with a PCoIP Profile bound to it.
3. CVE-2025-8424: This vulnerability, scoring 8.7 on the CVSS scale, pertains to improper access control on the NetScaler Management Interface. Exploitation necessitates access to the NetScaler IP (NSIP), Cluster Management IP, local Global Server Load Balancing (GSLB) Site IP, or Subnet IP (SNIP) with management access.
Mitigation Measures:
Citrix has addressed these vulnerabilities in the following software versions:
– NetScaler ADC and NetScaler Gateway 14.1-47.48 and subsequent releases.
– NetScaler ADC and NetScaler Gateway 13.1-59.22 and later versions of 13.1.
– NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases.
– NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and subsequent versions.
Given the absence of available workarounds, Citrix strongly recommends that users upgrade to these versions promptly to mitigate potential risks.
Acknowledgments:
The discovery and reporting of these vulnerabilities were credited to:
– Jimi Sebree of Horizon3.ai
– Jonathan Hetzer of Schramm & Partner
– François Hämmerli
Contextual Background:
The active exploitation of CVE-2025-7775 underscores a concerning trend of vulnerabilities in NetScaler ADC and Gateway products being rapidly weaponized. Prior to this, vulnerabilities such as CVE-2025-5777 (dubbed Citrix Bleed 2) and CVE-2025-6543 were also exploited shortly after their disclosure.
In a related development, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalog. This addition mandates that Federal Civilian Executive Branch (FCEB) agencies address the flaw within 48 hours, emphasizing the critical nature of this vulnerability.
Implications for Organizations:
The rapid exploitation of these vulnerabilities highlights the importance of timely patch management and proactive security measures. Organizations utilizing NetScaler products should:
– Regularly monitor for security advisories from Citrix and other authoritative sources.
– Implement patches and updates promptly to mitigate known vulnerabilities.
– Conduct regular security assessments to identify and address potential weaknesses.
– Educate IT staff and users about the risks associated with unpatched systems and the importance of cybersecurity hygiene.
Conclusion:
The swift action by Citrix to address these vulnerabilities is commendable. However, the onus is on organizations to ensure that these patches are implemented without delay. In the ever-evolving landscape of cybersecurity threats, vigilance and proactive measures are paramount to safeguarding critical infrastructure and sensitive data.
