Multiple critical vulnerabilities (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424) affect Citrix NetScaler ADC and Gateway appliances. CVE-2025-7775 is a pre-auth memory overflow allowing remote code execution or denial of service, assigned CVSS 9.2, and is being used in the wild to drop webshells and backdoor appliances. Active exploitation increases the likelihood of persistent access, so affected organizations will likely require incident response. Citrix confirmed exploitation of CVE-2025-7775 on unpatched appliances, offered patches for supported builds only, and noted end-of-life NetScaler 12.0 and 13.0 will not receive fixes.
The flaws, tracked as CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424, affect NetScaler ADC and NetScaler Gateway appliances. Security researcher Kevin Beaumont confirmed that they've been used as zero-days, meaning attackers were inside before the vendor's patch cycle caught up. He singled out CVE-2025-7775 as "the main problem" - a pre-auth remote code execution bug that's being abused to drop webshells and backdoor appliances.
Citrix itself describes it as a memory overflow bug that can be abused for remote code execution or denial of service, and it's been slapped with a CVSS score of 9.2 Beaumont added that affected organizations will likely need to carry out incident response, given the risk of persistent access after exploitation. In a security bulletin on Tuesday, Citrix admitted that CVE-2025-7775 has already been exploited on unpatched appliances.
Collection
[
|
...
]