Threat Insight

Multiple Vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway

Citrix has disclosed three severe vulnerabilities (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424) affecting NetScaler ADC and NetScaler Gateway appliances. Two of these (CVE-2025-7775 and CVE-2025-7776) are memory overflow vulnerabilities, A memory overflow vulnerability occurs when a program writes more data to a block of memory (such as a buffer) than it is allocated to hold. This can result in overwriting adjacent memory, leading to unpredictable behavior, application crashes, or allowing attackers to execute arbitrary code.

2025-08-27
Insight

Chaining these vulnerabilities may allow remote code execution, denial of service, or unauthorized local access to management interfaces.

CVE-2025-7775

Memory overflow vulnerability which could enable Remote Code Execution and/or Denial of Service for an unauthenticated attacker if your appliance matches any of the following pre-conditions[1]: NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server
– OR –
NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers
– OR –
NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers
– OR –
CR virtual server with type HDX

CVE-2025-7776

Memory overflow vulnerability where a remote, unauthenticated attacker could deploy unpredictable or erroneous behavior and Denial of Service if your appliance matches the following pre-condition[1]: NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) with PCoIP Profile bounded to it. – CVE-2025-8424: Improper access control on the NetScaler Management Interface in NetScaler ADC and NetScaler Gateway where a local attacker can get access to the appliance NSIP, Cluster Management IP or local GSLB Site IP or SNIP with Management Access.

CVE

CVE-2025-7775
CVE-2025-7776
CVE-2025-8424

Affected Products

NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.48 NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.22 NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.241-FIPS and NDcPP NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.330-FIPS and NDcPP

Exploitation

Exploitation of CVE-2025-7775 have been observed according to Citrix.

Recommended Actions

Truesec recommends all customers running affected Citrix appliances immediately review their configurations and apply available patches.

Patched releases: — NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases

NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1
NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP
NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP

Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and no longer supported. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities[1].

Detection

Here’s a write-up from Citrix regarding what you, as a customer, can do to determine how your appliances are configured[1]:

❗CVE-2025-7775:
Customers can determine if they have an appliance configured as one of the following by inspecting their NetScaler Configuration for the specified strings [1].

An Auth Server (AAA Vserver)
– add authentication vserver .*
A Gateway (VPN Vserver, ICA Proxy, CVPN, RDP Proxy)
– add vpn vserver .*

LB vserver of Type HTTP_QUIC|SSL|HTTP bound with IPv6 services or servicegroups bound with IPv6 servers:

– enable ns feature lb.*
– add serviceGroup .* (HTTP_QUIC|SSL|HTTP) .*
– add server .* <IPv6>
– bind servicegroup <servicegroup name> <IPv6 server> .*
– add lb vserver .* (HTTP_QUIC|SSL|HTTP) .*
– bind lb vserver .* <ipv6 servicegroup name>

LB vserver of Type HTTP_QUIC|SSL|HTTP bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers:

– enable ns feature lb.*
– add serviceGroup .* (HTTP_QUIC | SSL | HTTP) .*
– add server .* <domain> -queryType AAAA
– add service .* <IPv6 DBS server >
– bind servicegroup <servicegroup name> <IPv6 DBS server> .*
– add lb vserver .* (HTTP_QUIC | SSL | HTTP) .*
– bind lb vserver .* <ipv6 servicegroup name> CR vserver with type HDX:
– add cr vserver .* HDX .*

❗CVE-2025-7776:
Customers can determine if they have an appliance configured by inspecting their ns.conf file for the specified strings

A Gateway (VPN vserver) with with PCoIP Profile bounded to it
– add vpn vserver .* -pcoipVserverProfileName .*

References

[1] https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleTitle=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424

Stay ahead with cyber insights

Stay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news directly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and exclusive updates from Truesec.