Full Report
Citrix fixed three NetScaler ADC and NetScaler Gateway flaws today, including a critical remote code execution flaw tracked as CVE-2025-7775 that was actively exploited in attacks as a zero-day vulnerability. [...]
Analysis Summary
# Vulnerability: Critical RCE in Citrix NetScaler ADC and Gateway (CVE-2025-7775)
## CVE Details
- CVE ID: CVE-2025-7775
- CVSS Score: (Score not explicitly provided, but described as **critical**)
- CWE: (Not specified, but described as a memory overflow bug)
## Affected Systems
- Products: NetScaler ADC and NetScaler Gateway
- Versions:
- NetScaler ADC and NetScaler Gateway: BEFORE 14.1-47.48
- NetScaler ADC and NetScaler Gateway: BEFORE 13.1-59.22
- NetScaler ADC 13.1-FIPS and NDcPP: BEFORE 13.1-37.241-FIPS and NDcPP
- NetScaler ADC 12.1-FIPS and NDcPP: BEFORE 12.1-55.330-FIPS and NDcPP
- Configurations: Vulnerable if the NetScaler is configured as:
1. Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
2. For ADC/Gateway 13.1, 14.1, 13.1-FIPS, and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers.
3. For ADC/Gateway 13.1, 14.1, 13.1-FIPS, and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers.
4. CR virtual server with type HDX.
## Vulnerability Description
The critical flaw, CVE-2025-7775, is a memory overflow bug that permits unauthenticated, remote code execution (RCE) on vulnerable and improperly configured devices. Two other vulnerabilities were patched concurrently: CVE-2025-7776 (memory overflow leading to DoS) and CVE-2025-8424 (improper access control on the Management Interface).
## Exploitation
- Status: **Actively exploited in the wild** (Observed being exploited as a zero-day vulnerability on unpatched devices).
- Complexity: (Likely Low, given the unauthenticated and remote nature, but not explicitly stated).
- Attack Vector: Network (Implied by RCE and unauthenticated access requirement).
## Impact
- Confidentiality: High (Potential for unauthorized data access via RCE)
- Integrity: High (Potential for system modification/compromise via RCE)
- Availability: High (Potential for denial of service via RCE or secondary DoS flaw CVE-2025-7776)
## Remediation
### Patches
Citrix strongly recommends upgrading to firmware containing the fix. Specific fixed versions are not listed in detail, but versions *before* the identified vulnerable ranges must be updated. Admins should refer to the Citrix advisory (CTX694938) for exact patched versions.
### Workarounds
**No mitigations are available** to protect against potential exploitation of CVE-2025-7775. Immediate upgrading is required.
## Detection
- Indicators of Compromise (IoCs): Citrix has not shared specific IoCs for this vulnerability.
- Detection methods and tools: Customers should consult the vendor advisory (CTX694938) for configuration checks to determine if their device is running a vulnerable configuration profile.
## References
- Vendor Advisories: CTX694938
- Relevant links:
- hxxps://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938