On August 26, 2025, Citrix released fixes for a critical vulnerability in Citrix NetScaler ADC and Gateway (CVE-2025-7775) that has been exploited on unpatched appliances. The issue stems from a memory overflow flaw that could allow Remote Code Execution (RCE) and/or Denial of Service (DoS) by remote threat actors. The vulnerability affects NetScaler appliances configured as Gateway or AAA virtual servers, certain Load Balancing (LB) virtual servers bound to IPv6 or DBS IPv6 services, and CR virtual servers of type HDX.
Public reports have indicated that exploitation of this vulnerability can lead to dropped web shells, though further details have not been disclosed at the time of writing.
Arctic Wolf has not identified a publicly available proof of concept (PoC) exploit for CVE-2025-7775; however, given the nature of this vulnerability, threat actors are very likely to further target it, and PoCs are likely to be released soon. Citrix NetScaler has historically been an attractive target for threat actors, with one recent example being Citrix Bleed 2 (CVE-2025-5777), which resulted in widespread exploitation.
Other Vulnerabilities
Fixes were also released for two additional, lower-severity vulnerabilities, CVE-2025-7776 and CVE-2025-8424, which can result in DoS and improper access control, respectively. Citrix has not observed exploitation of these vulnerabilities at this time.
Recommendation for CVE-2025-7775
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| NetScaler ADC | 14.1 before 14.1-47.48
13.1 before 13.1-59.22 13.1-FIPS and NDcPP before 13.1-37.241-FIPS and NDcPP 12.1-FIPS and NDcPP before 12.1-55.330-FIPS and NDcPP |
14.1-47.48 and later releases
13.1-59.22 and later releases of 13.1 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP |
| NetScaler Gateway | 14.1 before 14.1-47.48
13.1 before 13.1-59.22 |
14.1-47.48 and later releases
13.1-59.22 and later releases of 13.1 |
Note: These vulnerabilities impact customer-managed NetScaler ADC, NetScaler Gateway, and Secure Private Access on-premises or hybrid deployments using NetScaler instances. NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and no longer supported.
Citrix-managed cloud services and Adaptive Authentication are automatically updated with the required patches.
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
Webshells Being Dropped Observation
Resources
Understand the threat landscape, and how to better defend your organization, with the 2025 Arctic Wolf Threat Report.
See how Arctic Wolf utilizes threat intelligence to harden your attack surface and stop threats earlier and faster.
