Pre-Auth RCE Zero-Day in Citrix NetScaler Under Active Exploitation (CVE-2025-7775)

Published Date: August 29, 2025
Category: ShadowOpsIntel
Share:

On August 26, 2025, Citrix (Cloud Software Group) disclosed three critical vulnerabilities affecting NetScaler ADC and NetScaler Gateway appliances:

  • CVE-2025-7775 – Actively exploited zero-day allowing Pre-auth RCE.
  • CVE-2025-7776 – Memory overflow causing DoS and erratic behavior.
  • CVE-2025-8424 – Improper access control on the management interface.

Security researchers and government advisories, including NCSC Netherlands, have confirmed active exploitation of CVE-2025-7775 in the wild. As of disclosure, over 14,000 exposed instances were online with only 16% patch coverage.

Severity Level: Critical

Vulnerability Details

  • CVE-2025-7775 (aka CitrixDeelb; CVSS Score: 9.2): Memory overflow vulnerability resulting in remote code execution or denial of service when NetScaler is configured as Gateway, AAA vServer, CR vServer or LB vServer.
  • CVE-2025-7776 (CVSS Score: 8.8): Memory overflow leading to unpredictable behavior and DoS when a Gateway (VPN vServer) is configured with a PCoIP profile.
  • CVE-2025-8424 (CVSS Score: 8.7): Improper access control on NetScaler Management Interface, exploitable if NSIP, SNIP, or other management IPs are exposed.

Exploitation Of CVE-2025-7775

  • Exploitation Status: Confirmed in the wild
  • Exploit Type: Pre-auth Remote Code Execution (RCE)
  • Observed Payloads: Dropping web shells for persistent access
  • Backdoor Activity: Reports of post-patch persistence via backdoors
  • Public Scanning: Internet-wide scans reported on Shodan
  • Suspected use in advanced persistent threat (APT) chains
  • Script for Post-Exploitation Detection: NCSC script

Affected Products And Versions

  • NetScaler ADC & Gateway 14.1: Before v14.1-47.48
  • NetScaler ADC & Gateway 13.1: Before v13.1-59.22
  • NetScaler ADC 13.1-FIPS and NDcPP: Before v13.1-37.241
  • NetScaler ADC 12.1-FIPS and NDcPP: Before v12.1-55.330

Note: Versions 12.1 and 13.0 are EOL and unsupported

Recommendations

  1. Organizations that use affected Citrix NetScaler should apply patches urgently and ensure the management interface is not exposed to the internet.
    Fixed versions:
    • NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases
    • NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1
    • NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP
    • NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP

Source:

  • https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938
  • https://www.vulncheck.com/blog/new-citrix-netscaler-zero-day-vulnerability-exploited-in-the-wild
  • https://cyberplace.social/@GossiTheDog/115102237563369978

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

 Talk to an expert