Citrix has released security updates addressing three vulnerabilities in NetScaler ADC and NetScaler Gateway, including a critical zero-day tracked as CVE-2025-7775. The flaw, a memory overflow bug, allows unauthenticated attackers to execute arbitrary code remotely on vulnerable appliances. Citrix confirmed that this weakness has already been exploited in attacks, with no mitigations available for unpatched systems.
The critical bug affects appliances configured as Gateways (VPN, ICA Proxy, CVPN, RDP Proxy) or AAA virtual servers, as well as load-balancing servers bound with IPv6 or DBS IPv6 services. Additionally, devices configured with CR virtual servers of type HDX are also vulnerable. Citrix’s advisory urges administrators to immediately verify configurations and upgrade firmware, as affected versions include NetScaler ADC and Gateway 13.1, 14.1, 13.1-FIPS, and NDcPP.
Citrix Netscaler ADC. Source: citrix.com.
Beyond CVE-2025-7775, Citrix fixed two additional vulnerabilities: CVE-2025-7776, another memory overflow bug that could cause denial of service, and CVE-2025-8424, an improper access control flaw affecting the management interface. All three issues were reported by researchers from Horizon3.ai, Schramm & Partnerfor, and security expert François Hämmerli. Citrix has not disclosed indicators of compromise or detailed exploitation methods but stresses the urgency of patching as attackers actively target exposed appliances.
This marks another serious incident following June’s “Citrix Bleed 2” (CVE-2025-5777), a memory disclosure bug that was exploited weeks before proof-of-concept code went public. The recurrence of zero-day exploitation in widely deployed NetScaler appliances highlights the continuing attention attackers place on these critical network entry points.
Organizations running NetScaler ADC or Gateway should apply Citrix’s latest patches without delay and review system configurations for exposure to IPv6 or Gateway services. Since no mitigations exist, timely upgrades are the only defense. Administrators should also monitor systems for suspicious activity, enforce strong access controls on management interfaces, and incorporate proactive vulnerability management practices. With zero-days increasingly weaponized against edge appliances, maintaining rapid patching workflows is essential to reduce organizational risk.
