CVE-2025-7775: Critical NetScaler Vulnerability Under Active Exploitation

Citrix NetScaler has had a difficult summer, with the vulnerability “CitrixBleed 2” being disclosed in July 2025 (a critical vulnerability causing memory exposure leaking sensitive information). However, this is not the end, as another critical vulnerability (CVE-2025-7775) was disclosed yesterday on the 26th of August. Because Citrix devices are normally public facing, the likelihood of exploitation in the wild increases significantly. In fact, both vulnerabilities have been actively exploited, according to Citrix. 

Furthermore, this advisory will focus on CVE-2025-7775, additional information regarding the CitrixBleed 2 can be found in our earlier blog post here. https://insights.integrity360.com/threat-advisories/threat-advisory-cve-2025-5777-critical-vulnerability-in-citrix-netscaler-adc-and-gateway 

What is CVE-2025-7775? 

If you're running Citrix NetScaler ADC or NetScaler Gateway, here's a vulnerability you can’t afford to ignore. Disclosed in late August 2025, exploits were seen in the wild. According to Citrix and corroborated by multiple threat intel sources, the vulnerability lies in how NetScaler handles certain requests on appliances configured with specific virtual server roles — notably: 

• Gateway virtual servers (e.g., VPN, ICA Proxy) 

• AAA authentication virtual servers 

• Load-balancing vServers bound to IPv6 services 

• HDX-type CR virtual servers 

If your appliance is set up for one or more of these, you are at risk. 

 Why This Is Urgent 

• CVSS Score: 9.2 (Critical) 

• Exploitation in the wild: Confirmed 

• No authentication required: Attackers don’t need credentials to exploit the vulnerability 

• Added to CISA KEV: U.S. federal agencies are required to patch it by August 28, 2025 

If you're running an unpatched system, it could already be compromised — especially if it's internet-facing. 

Am I Affected? 

You’re at risk if you're using any of the following NetScaler builds: 

If you’re running EOL versions like 12.1 or 13.0, there is no patch, and you need to upgrade ASAP or apply other mitigations.. 

What You Should Do Right Now 

• Patch Immediately 
  Get to the fixed versions listed above. Citrix has published patched builds — no workaround is currently available. 
• Audit Virtual Server Configurations 
  The vulnerability only affects appliances with the roles we mentioned earlier. If your system isn’t using Gateway, AAA, or IPv6 LB vServers, your exposure is lower — but don’t get complacent. 
• Kill Active Sessions 
  If you've patched after potential exposure, assume sessions may have been hijacked. Run: 
• kill icaconnection -all 
• kill pcoipConnection -all 

Then rotate any associated credentials. 

• Look for unusual access patterns in logs 

• Non-ASCII requests 

• Unexpected processes or scripts in the file system 

What have has been seen so far in the wild? 

So far, reports show a mix of exploitation attempts — from denial-of-service attacks to implanting remote shells or credentials harvesting through compromised authentication flows. 

Given NetScaler's role in front-ending sensitive apps (like VPNs and authentication gateways), an exploit here could become a pivot point into your internal environment. 

Check Your Infra-as-Code 

If you’re using automated deployment for NetScaler appliances (Terraform, Ansible, etc.), now’s a good time to: 

• Update your module versions 

• Enforce minimum patch levels 

• Validate no deprecated or EOL software is being provisioned 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively, Get in touch to find out how you can protect your organisation.