CVE-2025-7775

What is Citrix NetScaler ADC and Gateway?

Citrix NetScaler ADC (Application Delivery Controller) and NetScaler Gateway are enterprise networking appliances deployed at the perimeter of corporate networks for load balancing, SSL offloading, and remote access VPN. NetScaler Gateway in particular serves as the SSL VPN front door for organizations' internal applications — employees and contractors authenticate through the Gateway to reach internal resources from the internet.

NetScaler appliances sit at the network perimeter processing raw unauthenticated traffic by design, making pre-authentication vulnerabilities especially dangerous. Citrix NetScaler has a history of critical security vulnerabilities: CVE-2023-3519 (2023 remote code execution) and CVE-2019-19781 ("Shitrix") were both widely mass-exploited shortly after disclosure.

Overview

CVE-2025-7775 is a pre-authentication memory overflow (CWE-119) in Citrix NetScaler ADC and Gateway that was exploited as a zero-day in the wild before Citrix released a patch. CISA's response was unusually urgent: the vulnerability was added to the KEV catalog the same day patches shipped, with a 48-hour remediation deadline — one of the shortest deadlines CISA has issued under BOD 22-01. Approximately 14,300 internet-facing NetScaler instances were exposed at the time of disclosure, and 14+ public proof-of-concept exploits appeared on GitHub shortly after the patch released.

Affected Versions

Configuration requirement: The appliance must be configured as one of:

• Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy)
• AAA virtual server
• Load balancing virtual server (HTTP/SSL/HTTP_QUIC) bound to IPv6 services

Technical Details

The root cause is improper memory buffer handling (CWE-119) in the NetScaler Gateway/AAA processing stack. A crafted unauthenticated network request to a vulnerable virtual server configuration triggers a memory overflow leading to heap corruption, which can be exploited for remote code execution or denial of service.

Citrix has not publicly disclosed the precise code path responsible. Post-exploitation behavior observed in the wild includes webshell drops on compromised appliances — consistent with threat actors establishing persistent access after initial exploitation.

Key characteristics:

• Pre-authentication: no credentials or session required
• Requires specific vserver configuration (Gateway/AAA/IPv6 LB) — not all NetScaler deployments are vulnerable
• CVSS 9.8: Network-reachable, no complexity, no interaction
• Rapid public PoC availability (14+) drastically lowered the skill bar for exploitation within days of patch release

Discovery

Discovery details were not publicly attributed in the Citrix advisory or subsequent vendor communications. Citrix likely identified this through internal security research or coordinated disclosure. The zero-day exploitation before patch release indicates the vulnerability was independently discovered and weaponized by threat actors before Citrix disclosed it.

Exploitation Context

CVE-2025-7775 was actively exploited in the wild before the patch shipped on August 26, 2025. Webshell implants were observed on compromised NetScaler appliances following exploitation, indicating threat actors were establishing persistent access for follow-on operations. VulnCheck researcher Caitlin Condon identified approximately 14,300 internet-facing NetScaler instances as exposed at disclosure.

CISA's 48-hour BOD 22-01 deadline reflected the severity of the zero-day exploitation and the size of the exposed attack surface. No specific threat actor has been publicly attributed to the exploitation campaign. VulnCheck also flagged potential future chaining with CVE-2025-8424, a separate NetScaler management interface flaw, in assessments published shortly after.

Remediation

1. Patch immediately — upgrade to 14.1-47.48+, 13.1-59.22+, 13.1-37.241-FIPS+, or 12.1-55.330-FIPS+ depending on your branch. The original CISA deadline was 48 hours; treat this as an emergency patch.
2. Determine if your configuration is affected — only appliances running as Gateway (VPN/ICA Proxy/CVPN/RDP Proxy), AAA vserver, or IPv6 load balancing are vulnerable; confirm your vserver types before assuming you're safe.
3. Hunt for webshells — scan the NetScaler filesystem for unexpected .php, .py, or .sh files in web-served directories; check for new administrative sessions and outbound connections.
4. Review NetScaler Gateway logs — look for anomalous HTTP requests to the VPN virtual server from unexpected source IPs, particularly requests that trigger error conditions or produce unusual response sizes.
5. Isolate compromised appliances — if webshells or other indicators are found, take the appliance offline; NetScaler stores session tokens and credentials in memory that can be exfiltrated post-compromise.
6. Apply the patch for CVE-2025-8424 as well if advisory details indicate your configuration is affected — Citrix issued multiple advisories in this period covering related components.