Executive Summary
On August 26, 2025, Citrix disclosed CVE-2025-7775, a critical memory overflow vulnerability affecting NetScaler ADC and NetScaler Gateway. The disclosure came with an uncomfortable admission: the vulnerability was already being exploited in the wild as a zero-day. Attackers had discovered and weaponized the flaw before defenders had any opportunity to patch.
CVE-2025-7775 carries a CVSS score of 9.2 (Critical) and enables unauthenticated remote code execution. The attack requires no user interaction and no prior authentication—a network-accessible vulnerable appliance is sufficient for exploitation. Post-compromise analysis has revealed webshell deployments, indicating attackers are establishing persistent backdoor access to compromised organizations.
The timing amplifies the urgency. CVE-2025-7775 is the third critical NetScaler vulnerability disclosed in 2025 following CVE-2025-5777 (CitrixBleed 2) in June and CVE-2025-6543 in July. Organizations running NetScaler infrastructure face a sustained campaign of critical vulnerabilities requiring immediate action. CISA added CVE-2025-7775 to its Known Exploited Vulnerabilities catalog on the same day as disclosure, mandating federal agencies patch within 48 hours.
Vulnerability Overview
Technical Analysis
CVE-2025-7775 is a memory overflow vulnerability in the NetScaler request processing logic. When a vulnerable appliance receives a specially crafted request, the memory overflow corrupts adjacent memory regions, enabling attackers to hijack execution flow. The result is arbitrary code execution with the privileges of the NetScaler process—typically root or equivalent administrative access.
The vulnerability is particularly dangerous because it requires no authentication. Unlike vulnerabilities that require valid credentials or session tokens, CVE-2025-7775 can be exploited by any attacker who can reach the vulnerable service over the network. Combined with the Gateway and AAA configurations that are typically internet-facing, this creates a direct path from the internet to code execution on the appliance.
Citrix has classified the attack complexity as 'High' in the CVSS vector, suggesting that exploitation requires specific conditions or techniques beyond simple request crafting. However, the confirmed zero-day exploitation demonstrates that sophisticated threat actors have already overcome these barriers. Public exploit code was not available at disclosure, but security researchers expect broader exploitation once proof-of-concept code circulates.
Affected Configurations
| Configuration | Virtual Server Type | Vulnerable If | Risk Level |
|---|---|---|---|
| Gateway | VPN, ICA Proxy, CVPN, RDP Proxy | Configured as Gateway virtual server | Critical |
| AAA | Authentication virtual server | Configured as AAA virtual server | Critical |
| Load Balancer (IPv6) | HTTP, SSL, HTTP_QUIC | Bound with IPv6 services/servicegroups | Critical |
| Load Balancer (DBS) | Database services | DBS IPv6 configurations enabled | Critical |
| Content Routing | CR virtual server | Type HDX configured | High |
Affected and Patched Versions
| Product Branch | Vulnerable Versions | Fixed Version | Status |
|---|---|---|---|
| NetScaler ADC/Gateway 14.1 | < 14.1-47.48 | 14.1-47.48+ | Patch Available |
| NetScaler ADC/Gateway 13.1 | < 13.1-59.22 | 13.1-59.22+ | Patch Available |
| NetScaler 13.1-FIPS | < 13.1-37.241 | 13.1-37.241+ | Patch Available |
| NetScaler NDcPP | < 13.1-37.241 | 13.1-37.241+ | Patch Available |
| NetScaler 12.1-FIPS/NDcPP | < 12.1-55.330 | 12.1-55.330+ | Patch Available |
| NetScaler 12.1 | All versions | — | End of Life - Migrate |
| NetScaler 13.0 | All versions | — | End of Life - Migrate |
Exploitation Timeline
Observed Attack Chain
Security researchers analyzing CVE-2025-7775 exploitation have documented a consistent attack pattern. Understanding this chain helps defenders identify compromise indicators and implement appropriate detection.
Reconnaissance & Scanning
Attackers scan internet-facing infrastructure to identify NetScaler appliances. Version fingerprinting determines vulnerability status. At disclosure, over 59,000 instances were publicly accessible.
Exploitation
Specially crafted requests trigger the memory overflow, achieving remote code execution. No authentication required—network access to the vulnerable service is sufficient.
Webshell Deployment
Attackers deploy webshells to establish persistent backdoor access. These webshells survive appliance reboots and provide on-demand command execution capability.
Persistence & Lateral Movement
With persistent access established, attackers harvest credentials, map internal networks, and move laterally to additional systems. NetScaler's position at the network edge provides visibility into internal traffic.
Data Exfiltration or Further Objectives
Final objectives vary by threat actor: data theft, ransomware deployment, or long-term espionage access. The initial NetScaler compromise serves as the entry point for broader campaigns.
Security researchers warn that CVE-2025-7775 can be chained with CVE-2025-8424 (improper access control in NetScaler Management Interface) for deeper system control. While CVE-2025-7775 provides initial RCE access, CVE-2025-8424 could enable attackers to gain unauthorized access to management functionality, potentially affecting configuration persistence and making remediation more complex. Organizations should patch all three August 2025 vulnerabilities simultaneously.
Detection & Forensic Analysis
Organizations should implement detection capabilities and conduct forensic analysis to identify potential compromise:
Webshell Detection
Run Citrix's webshell detection script on all NetScaler appliances. Analyze filesystem snapshots for unexpected files in web-accessible directories, particularly PHP or Perl scripts.
Log Analysis
Review NetScaler logs for unusual request patterns, failed authentication attempts, and access to administrative functions. Look for artifacts indicating scanning or exploitation attempts.
Network Traffic Analysis
Monitor for unusual outbound connections from NetScaler appliances, particularly to known malicious infrastructure or unusual geographic destinations.
Configuration Review
Check for unauthorized configuration changes, new administrative accounts, or modified authentication settings that could indicate persistence mechanisms.
Memory Forensics
For suspected compromised appliances, conduct memory analysis to identify injected code, credential harvesting, or other runtime artifacts.
SIEM Integration
Deploy detection rules for CVE-2025-7775 exploitation patterns. SOC Prime and other vendors offer CTI-enriched detection content aligned with MITRE ATT&CK.
Remediation Steps
Citrix has confirmed there are no workarounds or mitigations for CVE-2025-7775. Patching is the only remediation path. Organizations should follow these steps immediately:
Identify All NetScaler Instances
Inventory all NetScaler ADC and Gateway appliances in your environment, including those managed by third parties. Verify version numbers against the affected versions list.
Apply Patches Immediately
Upgrade to fixed versions: 14.1-47.48+, 13.1-59.22+, 13.1-FIPS/NDcPP 13.1-37.241+, or 12.1-FIPS/NDcPP 12.1-55.330+. End-of-life versions (12.1, 13.0) require migration to supported releases.
Conduct Post-Patch Forensics
Even after patching, appliances may already be compromised. Run webshell detection, review logs for exploitation indicators, and analyze configurations for unauthorized changes.
Reset Credentials
If compromise is suspected, reset all credentials that may have transited the appliance: VPN users, administrative accounts, and any credentials visible to the NetScaler.
Review Network Segmentation
Ensure NetScaler appliances cannot directly access sensitive internal resources. Implement network segmentation to limit blast radius if edge appliances are compromised.
Implement Ongoing Monitoring
Deploy detection rules for CVE-2025-7775 and related vulnerabilities. Monitor for indicators of compromise and establish alerting for suspicious NetScaler activity.
Security researcher Kevin Beaumont reported that the majority of internet-facing NetScaler devices remain unpatched, with only approximately 16% patch adoption observed in the days following disclosure. This leaves tens of thousands of appliances vulnerable to exploitation. Organizations should verify their patch status immediately—assuming you are patched without verification is dangerous given the confirmed zero-day exploitation.
TR7 WAF Protection Against Zero-Days
While CVE-2025-7775 targets NetScaler infrastructure specifically, TR7's WAF platform provides defense-in-depth capabilities that protect against similar vulnerability exploitation patterns:
Memory Corruption Protection
Request validation and input sanitization prevent malformed requests from triggering buffer overflows and memory corruption in protected applications.
Virtual Patching
Deploy protection rules for known CVEs before vendor patches are available or when patching requires extended maintenance windows.
Exploit Traffic Detection
Behavioral analysis identifies exploitation attempts based on request patterns, even for zero-day vulnerabilities without known signatures.
Webshell Prevention
File upload controls and execution restrictions prevent attackers from deploying webshells even if initial exploitation succeeds.
Threat Intelligence Integration
Real-time threat feeds identify known malicious IPs and attack patterns, blocking exploitation attempts at the network edge.
Rapid Rule Deployment
New protection rules deployed within hours of CVE disclosure, providing immediate defense while patch cycles complete.
Frequently Asked Questions
Check your configuration and version. You are vulnerable if running NetScaler ADC/Gateway 13.1, 14.1, 13.1-FIPS, or NDcPP versions below the patched releases, AND configured as Gateway (VPN, ICA Proxy, CVPN, RDP Proxy), AAA virtual server, load balancer with IPv6 services, or CR virtual server with HDX type. Run the configuration check commands from Citrix bulletin CTX694938 to verify exposure.
These versions are end-of-life and do not receive security patches. You must migrate to a supported version (13.1 or 14.1) immediately. There is no workaround that makes these versions safe—upgrade is mandatory.
Run Citrix's webshell detection script, review access logs for unusual patterns, check for unauthorized configuration changes or new administrative accounts, and analyze filesystem for unexpected files. If compromise indicators are found, isolate the appliance, preserve forensic evidence, and engage incident response.
Patching prevents future exploitation but does not remove existing compromise. If your appliance was exposed before patching, conduct forensic analysis for webshells and persistence mechanisms. Reset credentials that transited the appliance. Consider reimaging from known-good state if compromise is confirmed.
NetScaler's position as an edge security appliance makes it a high-value target. Memory safety vulnerabilities in C/C++ codebases remain common, and the complexity of Gateway/VPN functionality creates large attack surface. The pattern of 2025 vulnerabilities (CVE-2025-5777, CVE-2025-6543, CVE-2025-7775) suggests researchers and attackers are actively auditing this codebase.
If immediate patching is impossible, restricting network access to trusted networks only provides limited risk reduction. However, this may not be practical for internet-facing VPN or Gateway deployments. Citrix has stated there are no effective mitigations—patching is the only complete remediation.
Conclusion
CVE-2025-7775 represents the third critical NetScaler vulnerability in three months, establishing a concerning pattern for organizations dependent on Citrix infrastructure. The zero-day exploitation status at disclosure meant attackers had a head start—and with only 16% patch adoption reported post-disclosure, many organizations remain exposed.
The combination of unauthenticated RCE, confirmed webshell deployment, and the network-edge position of typical NetScaler deployments creates severe risk. Compromised appliances provide attackers with persistent access to internal networks, credential visibility, and a launching point for lateral movement. The damage potential extends far beyond the NetScaler itself.
For security teams, the message is clear: identify all NetScaler instances, patch immediately, and conduct forensic analysis regardless of when you patched. Assume breach if your appliances were internet-facing before August 26, 2025. The zero-day window—however long it lasted—provided sophisticated threat actors ample opportunity for initial access. Your incident response should proceed accordingly.
References & Sources
Official Citrix disclosure for CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. Includes affected versions, fixed releases, and configuration check guidance. Access: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938
CVE-2025-7775 added to KEV on August 26, 2025 with 48-hour remediation deadline for federal agencies. Access: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Technical analysis of CVE-2025-7775 exploitation, affected configurations, and remediation guidance. Access: https://www.rapid7.com/blog/post/etr-cve-2025-7775-critical-netscaler-vulnerability-exploited-in-the-wild/
Exposure analysis and threat landscape context for CVE-2025-7775. Access: https://socradar.io/cve-2025-7775-citrix-zero-day-netscaler-devices/
News coverage of Citrix disclosure and zero-day exploitation. Access: https://www.bleepingcomputer.com/news/security/citrix-fixes-critical-netscaler-rce-flaw-exploited-in-zero-day-attacks/
Protect Your Infrastructure from Zero-Days
TR7's WAF platform provides defense-in-depth against vulnerability exploitation, including virtual patching for known CVEs and behavioral analysis for zero-day attacks. Don't wait for the next critical disclosure.
Explore WAF Protection