Critical 0-day Vulnerability in Citrix NetScaler Under Active Exploitation (CVE-2025-7775)

Executive Summary

On August 26th, Citrix published an advisory detailing a critical vulnerability in their NetScaler ADC and NetScaler Gateway lines of products. Successful exploitation of this bug (tracked as CVE-2025-7775) grants an unauthenticated threat actor Remote Code Execution (RCE) on the device. These devices are typically deployed as internet facing by design, so this vulnerability can be used by threat actors to gain initial access to an organization’s internal network.

There are no public details on the vulnerability or public proof of concept (PoC) exploits available at time of writing, but the advisory from Citrix mentions that active exploitation has been observed in the wild. Patches are available, and Beazley Security expects threat actors to develop and deploy their own weaponized exploits in the coming days.

Affected organizations should upgrade impacted devices as soon as possible.

Affected Systems and Products

Products	Affected	Unaffected
NetScaler ADC and NetScaler Gateway 14.1	Before 14.1-47.48	14.1-47.48 and later
NetScaler ADC and NetScaler Gateway 13.1	Before 13.1-59.22	13.1-59.22 and later
NetScaler ADC 13.1-FIPS and NDcPP	Before 13.1-37.241-FIPS and NDcPP	13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later
NetScaler ADC 12.1-FIPS and NDcPP	Before 12.1-55.330-FIPS and NDcPP	12.1-NDcPP 12.1-55.330 and later releases

‍

Mitigations and Workarounds

Citrix has indicated there are no effective mitigations or workarounds for this vulnerability. Organizations should update impacted NetScaler ADC and NetScaler Gateways to the latest patched versions.

If patches cannot be immediately applied, network access to the appliances should be restricted to trusted networks only.

Patches

Citrix has released advisory CTX694938 to track versioning and patching information for this issue. Citrix NetScaler patches to mitigate this issue and other technical support can be found by logging into the Citrix Support Center.

Technical Details

Details on the vulnerability have not been provided, but Citrix has provided guidance on how to determine if an organization has a vulnerable configuration on their device:

Configured as an Auth Server (AAA Vserver):

add authentication vserver .*

Configured as an Auth Server (AAA Vserver):

add vpn vserver .*

LB server of Type HTTP_QUIC|SSL|HTTP bound with IPv6 services or servicegroups bound with IPv6 servers:

enable ns feature lb.*
add serviceGroup .* (HTTP_QUIC|SSL|HTTP) .*
add server .* <IPv6>
bind servicegroup <servicegroup name> <IPv6 server> .*
add lb vserver .* (HTTP_QUIC|SSL|HTTP) .*
bind lb vserver .* <ipv6 servicegroup name>

LB vserver of Type HTTP_QUIC|SSL|HTTP bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers:

enable ns feature lb.*
add serviceGroup .* (HTTP_QUIC | SSL | HTTP) .*
add server .* <domain> -queryType AAAA
add service .* <IPv6 DBS server > 
bind servicegroup <servicegroup name> <IPv6 DBS server> .*
add lb vserver .* (HTTP_QUIC | SSL | HTTP) .*
bind lb vserver .* <ipv6 servicegroup name>

CR vserver with type HDX:

add cr vserver .* HDX .*

‍

How Beazley Security is Responding

Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

Sources

Download PDF

Aware of an incident impacting your industry? Let us know:

Report an incident

Prepare

Implement

Defend

Respond

Manage Risk

Beazley Insured

Featured Industries

Enabling readiness and resilience from pre-breach to remediation.

Bringing extensive experience to every engagement.

Nice to meet you. Find out more about our company here.

The latest insights and advisories from our team