Citrix patches a trio of high-severity security bugs, so be on your guard

Citrix fixes three flaws in NetScaler ADC and NetScaler Gateway
Among them is a critical-severity one used as a zero-day which allowed for RCE and DoS attacks

Citrix has fixed three bugs in its NetScaler ADC and NetScaler Gateway instances, including a critical zero-day flaw which was apparently being abused in the wild.

In a new advisory, the company said it patched multiple flaws, including a memory overflow vulnerability that could lead to remote code execution (RCE) or Denial of Service (DoS) attacks in NetScaler ADC and NetScaler Gateway (when NetScaler is configured as Gateway or AAA virtual server).

The vulnerability is tracked as CVE-2025-7775 and has a severity score of 9.2/10 (critical).

Configuration flaws

Citrix has urged users to patch up immediately since the hackers are already leveraging the bug in real-life attacks.

“As of August 26, 2025 Cloud Software Group has reason to believe that exploits of CVE-2025-7775 on unmitigated appliances have been observed, and strongly recommends customers to upgrade their NetScaler firmware to the versions containing the fix as there are no mitigations available to protect against a potential exploit,” it said.

Fortunately, leveraging the bug is not particularly straightforward, as devices need to be configured in a specific way for that to happen:

– NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server

– NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers

– NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers CR virtual server with type HDX

Citrix has released configuration settings that can check if the NetScaler device’s configuration leaves it vulnerable to exploits.

Other two bugs patched are a memory overflow vulnerability tracked as CVE-2025-7776, and an improper access control on the NetScaler Management Interface bug tracked as CVE-2025-8424.