Citrix has recently disclosed multiple high-severity vulnerabilities in its NetScaler Application Delivery Controller (ADC) and NetScaler Gateway products. Among these, CVE-2025-7775 stands out due to its active exploitation in the wild, posing significant risks to unpatched systems.
Overview of the Vulnerabilities
The identified vulnerabilities include:
– CVE-2025-7775: A memory overflow flaw that can lead to remote code execution (RCE) and denial of service (DoS). This vulnerability is particularly concerning as it has been observed being exploited in real-world attacks.
– CVE-2025-7776: Another memory overflow issue that can cause unpredictable behavior and DoS, especially when a Gateway (VPN virtual server) has a PCoIP profile bound.
– CVE-2025-8424: An improper access control vulnerability on the management interface, which requires access to specific IPs and is rated with an adjacent network attack vector.
Affected Versions
The vulnerabilities impact the following versions:
– NetScaler ADC and NetScaler Gateway 14.1 before 14.1-47.48
– NetScaler ADC and NetScaler Gateway 13.1 before 13.1-59.22
– NetScaler ADC 13.1-FIPS/NDcPP before 13.1-37.241
– NetScaler ADC 12.1-FIPS/NDcPP before 12.1-55.330
It’s important to note that NetScaler ADC/Gateway versions 12.1 and 13.0 have reached their end-of-life and are no longer supported. Organizations using these versions should upgrade to supported builds that address these vulnerabilities.
Details on CVE-2025-7775
CVE-2025-7775 is a critical memory overflow vulnerability with a CVSS v4.0 base score of 9.2. Exploitation of this flaw can result in remote code execution or denial of service. The vulnerability can be triggered under the following configurations:
– When the appliance is set up as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server.
– When load balancing virtual servers of type HTTP/SSL/HTTP_QUIC are bound to IPv6 services or service groups, including DNS-based service resolution to IPv6.
– When a content routing (CR) virtual server is configured with type HDX.
Given the active exploitation of CVE-2025-7775, it is imperative for organizations to prioritize patching internet-exposed Gateways and any appliances with IPv6-enabled load balancing virtual servers. Monitoring for crashes, unexpected restarts, and unusual management-plane access is also recommended.
Recommendations and Mitigation
Citrix has released fixed versions to address these vulnerabilities:
– NetScaler ADC and Gateway 14.1-47.48 or later
– NetScaler ADC and Gateway 13.1-59.22 or later
– NetScaler ADC 13.1-FIPS/13.1-NDcPP 13.1-37.241 or later
– NetScaler ADC 12.1-FIPS/12.1-NDcPP 12.1-55.330 or later
Organizations are strongly advised to upgrade to these versions immediately, as there are no available workarounds. For Secure Private Access (SPA) customers, it’s essential to upgrade all NetScaler instances underpinning on-premises or hybrid deployments. Additionally, restricting management plane exposure to dedicated administrative networks and enforcing strict access controls on NSIP/CLIP/SNIP/GSLB IPs is recommended.
Identifying Exposure
To determine if your systems are exposed to these vulnerabilities, review the `ns.conf` and running configuration for specific entries:
– For CVE-2025-7775: Look for the presence of AAA or Gateway virtual servers (e.g., “add authentication vserver …”, “add vpn vserver …”); load balancing virtual servers of type HTTP/SSL/HTTP_QUIC bound to IPv6 services or IPv6 servers (including DNS AAAA resolution); content routing virtual servers of type HDX.
– For CVE-2025-7776: Check for Gateway (VPN virtual server) with a PCoIP profile bound (e.g., “-pcoipVserverProfileName …”).
Conclusion
The active exploitation of CVE-2025-7775 underscores the critical need for organizations to promptly update their NetScaler ADC and Gateway appliances. By applying the recommended patches and adhering to best practices for network security, organizations can mitigate the risks associated with these vulnerabilities and safeguard their systems against potential attacks.
