Full Report
More than 28,200 Citrix instances are vulnerable to a critical remote code execution vulnerability tracked as CVE-2025-7775 that is already being exploited in the wild. [...]
Analysis Summary
# Vulnerability: Critical Zero-Day RCE in Citrix NetScaler ADC and Gateway (CVE-2025-7775)
## CVE Details
- CVE ID: CVE-2025-7775
- CVSS Score: Not explicitly provided, but described as **critical** and being **exploited in the wild** (Zero-Day).
- CWE: Not specified in the context.
## Affected Systems
- Products: Citrix NetScaler ADC and NetScaler Gateway
- Versions:
- 14.1 before 14.1-47.48
- 13.1 before 13.1-59.22
- 13.1-FIPS/NDcPP before 13.1-37.241-FIPS/NDcPP
- 12.1-FIPS/NDcPP up to 12.1-55.330-FIPS/NDcPP
- **Note:** Versions 12.1 and 13.0 (non-FIPS/NDcPP) are also vulnerable but are End-of-Life and require immediate migration to supported releases.
- Configurations: Affects devices configured as a Gateway/AAA virtual server (VPN, ICA Proxy, CVPN, RDP Proxy), LB virtual servers (HTTP/SSL/HTTP_QUIC) bound to IPv6 or DBS IPv6 services, or as a CR virtual server with type HDX.
## Vulnerability Description
The vulnerability is a critical Remote Code Execution (RCE) flaw present in Citrix NetScaler ADC and Gateway instances. It has been confirmed that this flaw is being exploited in the wild as a zero-day. Exploitation leads to the attacker potentially gaining full control over the affected device depending on the configuration.
## Exploitation
- Status: **Exploited in the wild (Zero-Day)**. Added to CISA's KEV catalog.
- Complexity: Implied to be relatively low given its widespread scanning and active exploitation shortly after disclosure.
- Attack Vector: Likely **Network** based, given the affected roles (Gateway, LB virtual server).
## Impact
- Confidentiality: High (Likely full compromise of gateway traffic/data)
- Integrity: High (Remote command execution)
- Availability: High (Potential system takeover or disruption)
## Remediation
### Patches
Admins must upgrade firmware immediately to the following fixed versions or later:
- **14.1**: 14.1-47.48 and later
- **13.1**: 13.1-59.22 and later
- **13.1-FIPS / 13.1-NDcPP**: 13.1-37.241 and later
- **12.1-FIPS / 12.1-NDcPP**: 12.1-55.330 and later
*Note: Users on EOL versions (12.1/13.0 non-FIPS/NDcPP) must upgrade to a supported release.*
### Workarounds
- Citrix **does not provide any mitigations or workarounds** and urges immediate firmware upgrading.
## Detection
- Indicators of Compromise: Vendor did not share specific IoCs associated with exploitation activity.
- Detection methods and tools: Monitoring network traffic for patterns specific to the RCE payload execution tailored for NetScaler/Gateway configurations. (Specific IoCs were not provided in the source article).
## References
- Vendor Advisory: [Citrix security bulletin regarding this flaw and others] (Link defanged)
- CISA Alert: Added to CISA KEV catalog.
- Threat Intelligence: Shadowserver Foundation monitoring of vulnerable instances.