CVE-2025-7775: A Critical NetScaler Zero-Day Under Active Exploitation
CVE-2025-7775: A Critical NetScaler Zero-Day Under Active Exploitation
Overview
On August 26, 2025, Citrix disclosed CVE-2025-7775, a critical memory overflow vulnerability impacting NetScaler ADC and NetScaler Gateway. The flaw is rated 9.8 (CVSS v3.1) / 9.2 (CVSS v4) and, crucially, was already under active exploitation prior to public disclosure. Given NetScaler’s placement at the network edge (VPN, ICA proxy, application delivery), pre-authentication exploitation presents a direct path to initial access and service disruption.
How it Works
CVE-2025-7775 is triggered by malformed requests processed under specific virtual server configurations. Systems are exposed when operating as Gateway (VPN vServer, ICA Proxy, CVPN, RDP Proxy) or AAA vServers, as well as when load-balancing vServers are bound to IPv6 services or database/QUIC backends. HDX-type cache-redirection vServers are also affected. Crafted inputs corrupt memory (heap/buffer), enabling arbitrary code execution in the NetScaler process or unstable crashes culminating in denial-of-service. Because exploitation is pre-auth and network reachable, any internet-exposed vulnerable vServer is a viable target.
Impact and Risks
Compromise of a NetScaler appliance extends beyond device control. Attackers positioned on an edge gateway can implant web or reverse shells, hijack session tokens, and harvest credentials for identity systems backed by Active Directory. In parallel, forced crash loops cause outages for VPN and application delivery. With tens of thousands of exposed instances visible on the public internet, exploitation has scaled quickly following disclosure.
Real-Life Examples
Threat intel teams observed exploit traffic before the vendor advisory landed, indicating true zero-day use. In confirmed incidents, adversaries scanned for exposed NetScaler appliances, deployed payloads, then established persistence on the device to stage lateral movement. Multiple enterprise breaches have been traced to this CVE as the initial access vector, echoing the operational patterns seen in earlier Citrix flaws (e.g., CVE-2019-19781; CVE-2023-3519).
Key Technical Details at a Glance
| Issue | Details |
|---|---|
| CVE | CVE-2025-7775 |
| Severity | Critical (CVSS v3.1: 9.8; v4: 9.2) |
| Exploit Status | Active, zero-day exploitation observed |
| Affected Products | NetScaler ADC and Gateway on 12.1, 13.1, 14.1 branches in specified configurations |
| Risk | Remote Code Execution or Denial of Service |
| Remediation | Upgrade to patched versions listed; no workarounds |
| Additional CVEs | CVE-2025-7776 and CVE-2025-8424 fixed by same patch |
| CISA KEV Inclusion | Yes; federal agencies had until August 28, 2025, to patch |
Recommendations
Given the criticality and active exploitation, organizations should act immediately:
Patch Immediately:
Upgrade to the following fixed builds (or later):
- 14.1-47.48
- 13.1-59.22
- 13.1-FIPS/NDcPP: 13.1-37.241
- 12.1-FIPS/NDcPP: 12.1-55.330
Older non-supported versions (12.1, 13.0 non-FIPS) are also vulnerable; upgrade to supported releases.
Reduce Exposure: Restrict internet exposure of NetScaler management interfaces. Place appliances behind firewalls or access control lists (ACLs).
Threat Hunting & Detection: Monitor logs for abnormal crashes, restarts, or suspicious traffic on VPN/LB vServers. Look for indicators of compromise (IoCs) such as web shells, modified scripts, or unauthorized sessions.
Segmentation & Zero Trust: Limit NetScaler’s ability to communicate laterally within the environment. Enforce identity-centric access controls for VPN users.
Incident Response: If compromise is suspected, isolate affected appliances. Rotate all credentials and session tokens handled by the device. Perform full forensic review before returning to production.
© 2025 RevelSI — Managed Security & Incident Response