The flaw is one of three that the company disclosed affecting its NetScaler ADC and NetScaler Gateway technologies.
Citrix is once again testing customer patience with three new NetScaler flaws, one of which is a zero-day that attackers are already actively exploiting.
The vulnerabilities affect multiple versions of Citrix NetScaler ADC and NetScaler Gateway products, which many organizations use to secure, manage, and provide remote access to enterprise apps. Affected systems include unsupported, end-of-life versions as well.
Zero-Day Vulnerability
The zero-day flaw under active attack is CVE-2025-7775, a memory overflow vulnerability that a remote attacker can use to hijack a system or crash it entirely via a denial-of-service (DoS) attack. The vulnerability can only be exploited on NetScaler devices that are set up for VPN or remote access, or that handle certain IPv6 web traffic or specific content routing tasks.
Citrix has slapped a 9.2 out of 10 severity rating on the CVSS scale for the flaw since attackers don’t need credentials or user interaction to trigger it. The vulnerability, according to the company, is tricky to exploit. But a successful attack could wreak serious havoc on a system’s confidentiality, integrity, and availability. Specific builds of NetScaler ADC and Gateway in the 12.1, 13.1, and 14.1 release lines are affected.
“Exploits of CVE-2025-7775 on unmitigated appliances have been observed,” Citrix warned in its advisory. “Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.”
Related:ClickFix Attack Tricks AI Summaries Into Pushing Malware
The other two vulnerabilities Citrix disclosed Tuesday are CVE-2025-7776 (CVSS score: 8.8) and CVE-2025-8424 (CVSS score: 8.7). The former is a flaw in the way the software handles memory and could allow an attacker to trigger “unpredictable or erroneous” behavior or a DoS condition on affected systems. The latter is an improper access control vulnerability that could potentially allow an attacker to access sensitive data and functions and gain control over parts of an affected system.
Citrix’s advisory includes guidance for customers on how to detect if they are affected by the vulnerabilities.
Potential for Damage
Jimi Sebree, attack team researcher at Horizon3.ai, whom Citrix identified as one of vulnerability discoverers, says the new flaws affect similar components in NetScaler ADC and NetScaler Gateway as the infamous “CitrixBleed” vulnerability. CitrixBleed (CVE-2023-4966) was a buffer overflow flaw that multiple threat groups — including ransomware actors such as LockBit — exploited widely. Earlier this year, there was a followup vulnerability, which some researchers dubbed as “CitrixBleed2” (CVE-2025-5777) that affected similar systems as well.
Advertisement
Related:Apple Patches Zero-Day Flaw Used in ‘Sophisticated’ Attack
“Of the vulnerabilities disclosed in the Citrix security bulletin, each has the potential to lead to service disruption and potential compromise of the host system,” Sebree says. As was the case with CitrixBleed and CitrixBleed2, finding NetScaler ADC and Gateway systems that are exposed to the newly disclosed vulnerabilities is fairly trivial, he says. “We do, however, want to emphasize that while the newly disclosed flaws affect similar components to the CitrixBleed issues, the new vulnerabilities are not related to CitrixBleed.”
Horizon3.ai does not currently have any insight into ongoing in-the-wild attacks, he adds.
Ticking Time Bombs?
In an emailed statement, Scott Caveza, senior staff research engineer at Tenable, highlighted the fact that while patches are available for supported versions of NetScaler ADC and Gateway devices, the vulnerabilities also affect unsupported versions. “Our analysis of Tenable telemetry data found that nearly 20% of NetScaler assets identified are on these unsupported versions,” he said. The greatest concentration of these devices was in North America and the APAC region. “These end-of-life instances are ticking time bombs, especially given the recent exploitation history of Citrix flaws,” he said.
Related:Tree of AST: A Bug-Hunting Framework Powered by LLMs
Citrix’s NetScaler ADC and Gateway products have become somewhat of a recurring source of security concern for enterprise organizations, and the latest vulnerabilities add to a growing catalog of critical flaws discovered over the past two years. The US Cybersecurity and Infrastructure Security Agency (CISA) currently lists 10 NetScaler flaws in its known exploited vulnerabilities (KEV) catalog; six are from the last two years.
The appliances present an attractive target for cybercriminals because they sit at the network perimeter, and handle authentication and remote access to corporate resources. The fact that many large organizations use the technology is another factor that has attracted considerable attacker attention.
About the Author
Jai Vijayan, Contributing Writer
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security
