Three high-severity vulnerabilities affect Citrix NetScaler ADC and NetScaler Gateway: CVE-2025-7775 (CVSS 9.2) enabling remote code execution or denial-of-service, CVE-2025-7776 (CVSS 8.8) causing unpredictable behavior or denial-of-service, and CVE-2025-8424 (CVSS 8.7) related to improper access control of the management interface. Exploits targeting CVE-2025-7775 on unmitigated appliances have been observed. Each vulnerability requires specific configuration prerequisites to be exploitable, such as Gateway, certain load-balancing virtual server types with IPv6 or DBS, PCoIP profiles, or access to management IPs. Fixes are available in recent 14.1, 13.1 and 13.1-FIPS/NDcPP releases; no workarounds are provided.
CVE-2025-7775 (CVSS score: 9.2) - Memory overflow vulnerability leading to Remote Code Execution and/or Denial-of-Service CVE-2025-7776 (CVSS score: 8.8) - Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial-of-Service CVE-2025-8424 (CVSS score: 8.7) - Improper access control on the NetScaler Management Interface
The company acknowledged that "exploits of CVE-2025-7775 on unmitigated appliances have been observed," but stopped short of sharing additional details.
The issues have been resolved in the following versions, with no available workarounds - NetScaler ADC�and NetScaler Gateway 14.1-47.48 and later releases NetScaler ADC�and NetScaler Gateway 13.1-59.22 and later releases of 13.1 NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-
Collection
[
|
...
]