Citrix’s August NetScaler patches include actively exploited zero-day

On August 26, 2025, Citrix released security updates addressing three vulnerabilities in NetScaler Application Delivery Controller (ADC) and NetScaler Gateway, including one that has been exploited as a zero-day.

These flaws affect certain configurations, including:

• Virtual Private Network (VPN) virtual servers
• Authentication, Authorization, and Accounting (AAA) virtual servers
• Management interfaces

The patch only applies to customer-managed NetScaler ADC and NetScaler Gateway. Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances should upgrade to the recommended builds to address the vulnerabilities. Citrix-managed cloud services and Citrix-managed Adaptive Authentication already received the necessary software updates.

The first flaw, tracked as CVE-2025-7775, is a memory overflow vulnerability that could result in a remote code execution and/or denial of service. The flaw could potentially allow threat actors to take full control of affected appliances. The Common Vulnerability Scoring System (CVSS) base score for CVE-2025-7775 is 9.2, which classifies it as Critical.

The US Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities catalog, suggesting that threat actors were already leveraging it before Citrix issued its advisory.

The second flaw, CVE-2025-7776, is also a memory overflow issue triggered when a PC-over-IP (PCoIP) profile is bound to a VPN virtual server. The impact includes denial-of-service or unpredictable behavior. Its CVSS v4.0 score is 8.8 (High).

The third one, CVE-2025-8424, involves improper access control on the management interface which could lead to unauthorized access to configuration files and system-level operations if certain management IPs are exposed. This flaw is also rated as high severity, with a CVSS score of 8.7.

Affected versions include NetScaler ADC and Gateway 14.1 (before build 14.1-47.48), 13.1 (before 13.1-59.22), and FIPS/NDcPP variants before 13.1-37.241 and 12.1-55.330.

There are no mitigations or workarounds available for these vulnerabilities, and upgrading to the patched versions is the only remediation path. Customers using end-of-life versions (12.1 and 13.0) are advised to migrate to supported builds to receive protection.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

Organizations relying on NetScaler for secure access, load balancing, or hybrid deployments should prioritize patching to avoid service disruption or compromise. Citrix-managed cloud services have already been patched and are not affected.

The vulnerabilities only impact customer-managed, on-premises deployments. Organizations using hybrid environments should verify that all on-premises instances are updated and that cloud connectors are not indirectly exposed.

Administrators should inspect their configurations for vulnerable components. For CVE-2025-7775 and CVE-2025-7776, administrators should audit their configurations to identify whether VPN virtual servers, AAA virtual servers, or Load Balancing virtual servers using IPv6 are in use. These configurations are common in enterprise environments and may be unintentionally exposed.

In the advisory, Citrix has provided configuration strings to help identify affected appliances.

Organizations should review firewall rules, access control lists, and authentication mechanisms. Identity and Access Management (IDAM) solutions should be used to restrict access to the NetScaler console, and local authentication should be disabled where possible.