On August 26, 2025, Citrix announced the release of patches addressing three vulnerabilities in its NetScaler Application Delivery Controller (ADC) and Gateway products. Among these, a critical-severity flaw, identified as CVE-2025-7775 with a Common Vulnerability Scoring System (CVSS) score of 9.2, has been actively exploited in the wild as a zero-day vulnerability.
Understanding CVE-2025-7775
CVE-2025-7775 is characterized as a memory overflow issue that, when exploited, can lead to a denial-of-service (DoS) condition and potentially allow remote code execution (RCE). This vulnerability specifically affects NetScaler instances configured in the following ways:
– As a gateway or an Authentication, Authorization, and Accounting (AAA) virtual server.
– Configured with a Content Rewrite (CR) virtual server of type HDX.
– Bound with IPv6 services or service groups connected to IPv6 servers.
– Bound with Database Services (DBS) IPv6 services or service groups linked to IPv6 DBS servers.
Citrix’s Response and Recommendations
Citrix has observed active exploitation of CVE-2025-7775 on unpatched appliances. In response, the company strongly advises customers to upgrade their NetScaler firmware to the versions containing the fix, as no mitigations are available to protect against potential exploits. The urgency of this update is underscored by the lack of available workarounds.
CISA’s Immediate Action
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has promptly added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalog. Under Binding Operational Directive (BOD) 22-01, federal agencies are typically given three weeks to apply fixes for newly added vulnerabilities. However, due to the severity and active exploitation of this flaw, agencies have been directed to address CVE-2025-7775 within two days, by August 28, 2025.
Additional Vulnerabilities Addressed
In addition to CVE-2025-7775, Citrix has released patches for two other vulnerabilities:
– CVE-2025-7776: A memory overflow issue leading to unexpected behavior, with a CVSS score of 8.8.
– CVE-2025-7777: An improper access control vulnerability, with a CVSS score of 7.5.
Historical Context and Ongoing Threats
This incident is not isolated. Citrix products have been targeted by threat actors in the past. For instance, in December 2022, a critical vulnerability (CVE-2022-27518) in Citrix ADC and Gateway was exploited by Chinese hacking group APT5. The group targeted telecommunications and technology companies, leading to unauthorized access and potential data breaches.
More recently, in June 2025, another critical vulnerability (CVE-2025-5777), dubbed CitrixBleed 2, was exploited in the wild. This flaw allowed attackers to bypass authentication mechanisms, including multi-factor authentication, by hijacking existing sessions. The widespread exploitation of such vulnerabilities underscores the persistent threats facing organizations using Citrix products.
Implications for Organizations
The active exploitation of CVE-2025-7775 highlights the critical importance of timely patch management. Organizations using affected NetScaler configurations should:
1. Immediate Patching: Upgrade to the latest firmware versions that address these vulnerabilities without delay.
2. Review Configurations: Assess and, if necessary, reconfigure NetScaler instances to minimize exposure to potential exploits.
3. Monitor Systems: Implement continuous monitoring to detect any signs of compromise or unusual activity.
4. Incident Response Planning: Develop and regularly update incident response plans to swiftly address potential breaches.
Conclusion
The release of patches for CVE-2025-7775 and related vulnerabilities serves as a stark reminder of the evolving cybersecurity landscape. Organizations must remain vigilant, ensuring that systems are promptly updated and that robust security measures are in place to defend against both known and emerging threats.
