Critical 0-Day RCE Vulnerability in Citrix NetScaler ADC & Gateway Under Active Exploitation

A critical security bulletin warning that attackers are actively exploiting a zero-day remote code execution vulnerability in NetScaler ADC and Gateway products.

The vulnerability, tracked as CVE-2025-7775, has achieved a critical CVSS v4.0 base score of 9.2 and enables attackers to execute arbitrary code remotely on vulnerable systems.

The security bulletin, published on August 26, 2025, reveals that exploits targeting CVE-2025-7775 on unmitigated appliances have already been observed in the wild, prompting urgent patching recommendations from the vendor.

This marks another significant security incident for the NetScaler platform, which has faced multiple critical vulnerabilities in recent years.

The security bulletin addresses three distinct vulnerabilities affecting NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) deployments.

CVE-2025-7775 represents the most severe threat, classified as a memory overflow vulnerability that can lead to both remote code execution and denial of service conditions.

The vulnerability specifically impacts NetScaler instances configured as Gateway services, including VPN virtual servers, ICA Proxy, CVPN, and RDP Proxy configurations.

Additionally, load balancing virtual servers of HTTP, SSL, or HTTP_QUIC types that are bound with IPv6 services or service groups are also susceptible to exploitation.

CVE-2025-7776, assigned a CVSS score of 8.8, represents another memory overflow vulnerability affecting NetScaler Gateway configurations with PCoIP Profile bindings.

This vulnerability can result in unpredictable system behavior and denial of service attacks. The third vulnerability, CVE-2025-8424 (CVSS 8.7), involves improper access control on the NetScaler Management Interface, potentially allowing unauthorized access to critical system functions.

CVE ID	CVSS Score	Vulnerability Type	Attack Vector
CVE-2025-7775	9.2	Memory Overflow/RCE	Network
CVE-2025-7776	8.8	Memory Overflow/DoS	Network
CVE-2025-8424	8.7	Access Control	Adjacent Network

Critical 0-Day RCE Vulnerability

The vulnerabilities affect multiple supported NetScaler versions, with NetScaler ADC and Gateway 14.1 versions prior to 14.1-47.48 and 13.1 versions before 13.1-59.22 requiring immediate updates.

FIPS and NDcPP variants are also impacted, with specific patch requirements for 13.1-FIPS builds before 13.1-37.241 and 12.1-FIPS versions prior to 12.1-55.330.

Cloud Software Group has emphasized that Secure Private Access on-premises and hybrid deployments using NetScaler instances are equally vulnerable and require upgrading to recommended builds.

The vendor notes that customer-managed NetScaler deployments require manual patching, while Citrix-managed cloud services and Adaptive Authentication will receive automatic updates.

Organizations can identify vulnerable configurations by inspecting their NetScaler configurations for specific strings, including authentication virtual servers (add authentication vserver), VPN virtual servers (add vpn vserver), and load balancing configurations with IPv6 bindings.

The bulletin provides detailed configuration checks to help administrators determine their exposure to these vulnerabilities.

Threat Intelligence Community Response

The vulnerabilities were discovered through coordinated security research efforts, with Cloud Software Group acknowledging Jimi Sebree of Horizon3.ai, Jonathan Hetzer of Schramm & Partner, and François Hämmerli for their responsible disclosure practices.

This collaborative approach between security researchers and vendors demonstrates the importance of coordinated vulnerability disclosure in protecting enterprise infrastructure.

The active exploitation of CVE-2025-7775 underscores the critical nature of this security update, as threat actors have already begun targeting vulnerable NetScaler deployments.

Organizations operating these systems should prioritize immediate patching and consider implementing additional network-level protections while updates are deployed.

Given the critical nature of these vulnerabilities and confirmed active exploitation, administrators should treat this as an emergency patching cycle and establish comprehensive monitoring for any signs of compromise on their NetScaler infrastructure.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.