Three vulnerabilities in Citrix NetScaler have been patched, with one of them currently experiencing active exploitation.

Critical Zero-Day Vulnerabilities in Citrix NetScaler Affect Thousands of Systems

A series of zero-day vulnerabilities have been discovered in Citrix NetScaler ADC and Gateway, affecting a significant number of organizations worldwide. The flaws, tracked as CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424, are critical and have severity score ratings of 9.2, 8.8, and 8.7, respectively.

According to the US Cybersecurity and Infrastructure Security Agency (CISA), CVE-2025-7775 was added to its Known Exploited Vulnerabilities (KEV) catalog on August 26 and urged US federal agencies to apply patches by August 28. The Shadowserver Foundation observed at least 28,000 unpatched Citrix NetScaler instances vulnerable to the CVE-2025-7775 RCE vulnerability as of August 26.

The vulnerabilities include two memory overflow vulnerabilities and an improper access control on the NetScaler Management Interface. These flaws can potentially allow for pre-authentication remote code execution (RCE), enabling attackers to drop webshells and backdoor organizations. CVE-2025-7775, also known as 'CitrixDeelb,' has been observed being exploited in the wild.

Citrix has released patches for these vulnerabilities, and organizations are urged to upgrade to one of the patched versions to mitigate the risks. NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases, NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1, NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP, and NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP are now supported and address the vulnerabilities.

However, patching alone is not sufficient, according to Benjamin Harris, CEO of WatchTowr. Organizations should urgently review for signs of prior compromise and deployed backdoors. Management interfaces for firewalls and security gateways have been targeted en masse in recent campaigns, according to VulnCheck's research.

CVE-2025-7775 and CVE-2025-7776 are memory corruption vulnerabilities that are likely to be exploited by sophisticated threat actors, according to Caitlin Condon, VP of security research at VulnCheck. The group allegedly involved in the exploit campaign for CVE-2025-7775 before Citrix patches were released is associated with the use of Hexstrike-AI, an autonomous AI-driven tool that was observed in underground forums shortly after the vulnerability disclosure, enabling rapid and large-scale exploitation by threat actors.

It is important to note that NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now end-of-life (EOL) versions and are no longer supported. Organizations using these versions should prioritize upgrading to a supported version to ensure security.

In conclusion, the discovery of these zero-day vulnerabilities in Citrix NetScaler ADC and Gateway underscores the importance of timely patching and vigilant security practices. Organizations are advised to apply the patches and conduct thorough security reviews to protect against potential threats.

Three vulnerabilities in Citrix NetScaler have been patched, with one of them currently experiencing active exploitation.