Published: Wed 27 August 2025
Prepared by: Adam Skupien, Vulnerability Security Analyst
Purpose
This bulletin addresses three vulnerabilities disclosed by Citrix on 26 August 2025 affecting customer-managed NetScaler ADC and NetScaler Gateway appliances: CVE-2025-7775 (Critical), CVE-2025-7776 (High), and CVE-2025-8424 (High). CVE-2025-7775 has been identified as a zero-day, with exploitation observed in the wild prior to disclosure. Successful exploitation could enable unauthenticated remote code execution or denial-of-service (DoS). Citrix strongly urges upgrading affected instances to the fixed builds noted below.
Vulnerability details
On 26 August 2025, Citrix published a security bulletin disclosing the following vulnerabilities.
| CVE ID | Description | CWE | CVSSv4 | Severity | Exploitation Status |
| CVE-2025-7775 | Memory overflow vulnerability leading to RCE and/or DoS | CWE-119 | 9.2 | Critical | Exploited in the wild (zero-day) |
| CVE-2025-7776 | Memory overflow vulnerability leading to unpredictable behaviour and DoS | CWE-119 | 8.8 | High | No exploitation reported |
| CVE-2025-8424 | Improper access control on the NetScaler Management Interface | CWE-284 | 8.7 | High | No exploitation reported |
The vulnerabilities affect several versions of NetScaler ADC and NetScaler Gateway, as listed below:
|
Product |
Affected Builds |
Fixed in |
|
NetScaler ADC & NetScaler Gateway 14.1 |
Before 14.1-47.48 |
14.1-47.48 and later |
|
NetScaler ADC & NetScaler Gateway 13.1 |
Before 13.1-59.22 |
13.1-59.22 and later |
|
NetScaler ADC 13.1-FIPS & 13.1-NDcPP |
Before 13.1-37.241 |
13.1-37.241 and later |
|
NetScaler ADC 12.1-FIPS & 12.1-NDcPP |
Before 12.1-55.330 |
12.1-55.330 and later |
Impact
Successful exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to:
- Execute arbitrary code with elevated privileges on the appliance (CVE-2025-7775)
- Cause denial-of-service conditions, disrupting business operations (CVE-2025-7775, CVE-2025-7776)
- Bypass access controls on the management interface (CVE-2025-8424)
Together, these risks could lead to compromise of the NetScaler appliance, loss of service availability, and a potential foothold for further attacks inside the network.
Mitigation
Citrix has advised that there are no workarounds or temporary mitigations. Customers are strongly urged to apply the fixed builds immediately.
|
Product |
Fixed Build |
|
NetScaler ADC & Gateway 14.1 |
14.1-47.48 and later |
|
NetScaler ADC & Gateway 13.1 |
13.1-59.22 and later |
|
NetScaler ADC 13.1-FIPS & 13.1-NDcPP |
13.1-37.241 and later |
|
NetScaler ADC 12.1-FIPS & 12.1-NDcPP |
12.1-55.330 and later |
Note: NetScaler ADC/Gateway versions 12.1 and 13.0 (non-FIPS/NDcPP) are End of Life (EOL) and unsupported. Customers running these versions must upgrade to a supported release to remain protected.
Detection
Verify the current version of your NetScaler ADC or NetScaler Gateway against the affected builds listed above.
Review appliance logs and monitoring systems for unusual activity, such as unexplained service restarts, anomalous management interface access, or high CPU/memory spikes.
Where possible, deploy intrusion detection/prevention signatures aligned to CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424.
Triskele Labs customers leveraging our Vulnerability Scanning and Monitor (24×7 SIEM) services are being proactively assessed and monitored for indicators of compromise (IOCs) and signs of lateral movement.
References
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938