Thousands of Citrix NetScaler boxes still sitting ducks

Thousands of Citrix NetScaler boxes still sitting ducks

Briefly

Citrix's rushed-out fixes covered three bugs: CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. CVE-2025-7775 - already dubbed CitrixBleed 3 by some - is the one to worry about: Citrix describes it as a memory overflow weakness that can be abused for remote code execution or denial-of-service, and it has been assigned a CVSS score of 9.2. Security researcher Kevin Beaumont stated that the flaw was being exploited as a pre-auth RCE to plant web shells on unpatched boxes.

CISA has now added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalogue, effectively making patching mandatory for US federal agencies. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," the US cybersecurity agency warns. The Dutch National Cyber Security Centre (NCSC-NL) has been busy sounding alarm bells too, warning that mass-exploitation of the NetScaler vulnerability is likely.

Fresh data from the Shadowserver Foundation shows that the number of vulnerable systems dropped from more than 28,000 on Wednesday to 13,000 on Thursday, suggesting that admins have been scrambling to patch. Even so, thousands remain open to attack, with more than 7,500 affected devices in the US, over 4,000 in Germany, and more than 1,200 in the UK. The findings underscore what security researchers have long warned: patch lag is leaving enterprises wide open, even when the vendor has already confirmed exploitation.