On August 26, 2025, Citrix released security bulletin CTX694938 to address three newly identified vulnerabilities in NetScaler ADC and NetScaler Gateway, known as CVE-2025-7775 (CVSS: 9.2), CVE-2025-7776 (CVSS: 8.8) and CVE-2025-8424 (CVSS: 8.7).

Given the central role NetScaler devices have in providing secure remote access, threat actors can exploit this vulnerability to gain direct entry into enterprise networks with minimal effort. Citrix emphasises the urgency of applying patches and taking immediate action due to the ease of exploitation and that CVE-2025-7775 is already being exploited in the wild.

Affected systems

A prerequisite for the exploitation of these vulnerabilities is that NetScaler must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or an AAA virtual server.

• NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.48
• NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.22
• NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.241-FIPS and NDcPP
• NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.330-FIPS and NDcPP
• Secure Private Access (SPA) on-premises or Hybrid deployments using NetScaler instances

Note that NetScaler ADC and NetScaler Gateway version 12.1 and 13.0 are End Of Life (EOL) and no longer supported.

Recommendations

mnemonic recommends the following actions if your organisation has vulnerable NetScaler devices exposed to the Internet:

• Take a snapshot or make a copy (if possible) of the system for incident response (preferably before patching)
• Apply the recommended patches provided by Citrix
• Perform session invalidation after patching by running the vendor-recommended commands to kill ICA/PCoIP sessions (kill icaconnection -all and kill pcoipConnection -all.), then plan to invalidate web/VPN session cookies across AAA/Gateway
• Run the webshell detection script for Citrix NetScaler appliances as a precautionary measure
• Analyse the snapshot for any malicious activity or malware, such as by using NetScaler’s own log analysis guidance to look for artifacts of scanning/exploitation attempts
• Restrict management plane: ensure NSIP/Cluster IP/GSLB Site IP are reachable only from a management network/VPN; no direct Internet exposure
• Long-term: Ensure external log retention for NetScaler (such as incl. ns.log, aaad.debug, appfw.log, httprequest.log)
• Long-term: Review NetScaler Secure Deployment Guide
• If suspected compromised: Force re-authentication for remote access and revoke/rotate any secrets/tokens

Threat Intelligence assessment

Exploitation has already been confirmed in the wild and has been used to deploy webshells on exposed systems.

At present, there is no public proof-of-concept exploit code available, but its expected that one will surface soon. The technical feasibility of unauthenticated memory vulnerability exploitation means that once code becomes publicly available, opportunistic threat actors are likely to conduct widespread scanning and automated exploitation at scale. This significantly increases the risk for any Internet-facing NetScaler appliance that has not yet been patched.

Organisations should operate under the assumption that vulnerable and Internet-exposed appliances have already been compromised, if the vulnerabilities are not patched prior to the release of public proof-of-concept exploit code. The combination of active in-the-wild exploitation, the likelihood of imminent proof-of-concept release, and the strategic value of NetScaler appliances to threat actors at various levels, underlines the severity of the vulnerabilities.

We will continue to update this advisory when we have additional information to share.