CVE-2025-7775: Memory Overflow Vulnerability in Citrix NetScaler ADC and Gateway
In this article
Overview of CVE-2025-7775 Citrix Netscaler
On August 26th, 2025, Citrix patched CVE‑2025‑7775, a memory overflow vulnerability in NetScaler ADC and Gateway appliances that allows unauthenticated remote code execution (RCE) and/or denial-of-service. This threat is confirmed to be actively exploited in the wild. Citrix strongly emphasized that no mitigations exist aside from applying the patch immediately.
That same day, CISA added CVE‑2025‑7775 to its Known Exploited Vulnerabilities (KEV) catalog, imposing a 48-hour remediation requirement for federal agencies
Affected Citrix NetScaler Assets
The vulnerability is only exploitable under specific configurations—making exposure assessment all the more critical:
- The NetScaler must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.
- Or, configured as a Load Balancing (LB) virtual server (HTTP, SSL, HTTP_QUIC) bound to IPv6 services or IPv6 DBS servers.
- Also, exploitable via CR virtual server of type HDX
There are no workarounds; only fixed firmware is effective, with patched versions including:
- 14.1‑47.48+
- 13.1‑59.22+
- 13.1‑FIPS/NDcPP 13.1‑37.241+
- 12.1‑FIPS/NDcPP 12.1‑55.330+
Potential Risk
This vulnerability isn’t standalone—it’s part of a troubling pattern:
- It arrives on the heels of CitrixBleed 2 (CVE‑2025‑5777), a memory‑read flaw that leaked session tokens and credentials (up to 127 bytes per request)—weakened even MFA-protected sessions.
- As of early August, Shadowserver telemetry showed 3,312 NetScaler appliances remained vulnerable to CitrixBleed 2, while 4,142 remained at risk of CVE‑2025‑6543 (another overflow leading to DoS).
- Citrix’s patch of CVE‑2025‑7775 comes within a broader response that also addresses CVE‑2025‑7776 (another overflow leading to DoS) and CVE‑2025‑8424 (access-control issue in management interface), all under active exploitation.
For external exposure teams, the risk is crystal clear: vulnerable assets present opportunities for chainable edge compromises, malicious pivots, credential theft, and broader enterprise infiltration.
Mitigation for CVE-2025-7775
Citrix has released a security advisory (CTX694938) detailing the affected versions and recommended remediation steps. Organizations should:
- Apply vendor patches immediately. Fixed versions are available via Citrix support.
- Enable Web Application Firewall (WAF) protections to block suspicious request patterns.
- Monitor logs for abnormal traffic. Indicators of compromise may include repeated malformed requests to Gateway endpoints.
These steps reduce the attack surface while patches are being applied.
Am I Impacted by CVE-2025-7775?
Because exploits of CVE-2025-7775 on unmitigated appliances have been observed in the wild, the IONIX research team is tracking ongoing exploitation attempts and recommends that customers follow portal notifications. Potentially affected assets can be found in the IONIX Threat Center in the portal.
