Citrix NetScaler ADC and Gateway 0-Day RCE Vulnerability Actively Exploited in Attacks

Cloud Software Group has disclosed multiple high-severity vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that can lead to remote code execution (RCE) and denial of service (DoS).

Exploitation of CVE-2025-7775 has been observed in the wild against unmitigated appliances, and customers are urged to upgrade immediately.

Affected versions include NetScaler ADC and NetScaler Gateway 14.1 before 14.1-47.48 and 13.1 before 13.1-59.22, plus NetScaler ADC 13.1-FIPS/NDcPP before 13.1-37.241 and 12.1-FIPS/NDcPP before 12.1-55.330.

Secure Private Access on-prem and SPA Hybrid deployments that use NetScaler instances are also affected and require the same NetScaler upgrades. Note that NetScaler ADC/Gateway 12.1 and 13.0 mainstream branches are End of Life and no longer supported; customers should move to supported builds that remediate these flaws.

CVE-2025-7775 Under Active Attack

Three CVEs were published with CVSS v4.0 base scores between 8.7 and 9.2. CVE-2025-7775 (CVSS 9.2) is a memory overflow that can enable RCE and/or DoS.

It is triggerable when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server, or when load balancing virtual servers of type HTTP/SSL/HTTP_QUIC are bound to IPv6 services/service groups (including DNS-based service resolution to IPv6), or when a content routing (CR) virtual server is configured with type HDX.

CVE-2025-7776 (CVSS 8.8) is another memory overflow that can cause unpredictable behavior and DoS when a Gateway (VPN vserver) has a PCoIP profile bound.

CVE-2025-8424 (CVSS 8.7) is an improper access control issue on the management interface; exploitation requires access to NSIP, Cluster Management IP, local GSLB Site IP, or a SNIP with management access, and is scored with an adjacent network attack vector.

There are no workarounds. Cloud Software Group strongly advises upgrading to fixed releases: NetScaler ADC and Gateway 14.1-47.48 or later; 13.1-59.22 or later; NetScaler ADC 13.1-FIPS/13.1-NDcPP 13.1-37.241 or later; and 12.1-FIPS/12.1-NDcPP 12.1-55.330 or later.

SPA customers should upgrade all NetScaler instances underpinning on-prem or hybrid deployments. Where possible, also restrict management plane exposure to dedicated admin networks and ensure access controls on NSIP/CLIP/SNIP/GSLB IPs are tightly enforced.

Customers can quickly determine exposure by reviewing ns.conf and running configuration for telltale entries:

• For CVE-2025-7775: presence of AAA or Gateway vservers (e.g., “add authentication vserver …”, “add vpn vserver …”); LB vservers of type HTTP/SSL/HTTP_QUIC bound to IPv6 services or IPv6 servers (including DNS AAAA resolution); CR vservers of type HDX.
• For CVE-2025-7776: Gateway (VPN vserver) with a PCoIP profile bound (e.g., “-pcoipVserverProfileName …”).

Given active exploitation of CVE-2025-7775, organizations should prioritize patching internet-exposed Gateways and any appliances with IPv6-enabled LB vservers. Monitor for crashes, unexpected restarts, and anomalous management-plane access, and review logs for suspicious activity around affected virtual servers.

Cloud Software Group credited Jimi Sebree (Horizon3.ai), Jonathan Hetzer (Schramm & Partner), and François Hämmerli for responsible disclosure.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post Citrix NetScaler ADC and Gateway 0-Day RCE Vulnerability Actively Exploited in Attacks appeared first on Cyber Security News.