Citrix has issued patches for three zero-day vulnerabilities affecting NetScaler ADC and Gateway, including one that attackers have already begun exploiting. Review the details in this Cybersecurity Threat Advisory to reduce your risk from these threats.
What is the threat?
The vulnerabilities, identified as CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424, include two memory overflow flaws and one improper access control issue in the NetScaler Management Interface.
- CVE-2025-7775 (CVSS of 9.2) is a critical remote code execution (RCE) flaw that attackers actively exploited as a zero-day, taking advantage of it before a patch became available.
- CVE-2025-7776 (CVSS of 8.8) is a memory handling flaw that could cause “unpredictable or erroneous” behavior or lead to a denial of service (DoS) condition.
- CVE-2025-8424 (CVSS of 8.7) is an improper access control issue that could allow attackers to reach sensitive data, perform unauthorized functions, and potentially gain control over parts of the affected system.
Combined, these flaws could enable initial access, privilege escalation, data theft, or ransomware deployment, especially in environments with unpatched NetScaler appliances.
Why is this noteworthy?
NetScaler ADC and Gateway appliances are widely used in enterprise environments for secure remote access, meaning exploitation could give attackers a foothold into sensitive corporate networks. CVE-2025-7775 impacts multiple configurations, including Gateway, AAA, certain load balancing setups, and HDX virtual servers, making it harder for admins to quickly assess exposure.
What is exposure or risk?
CVE-2025-7775 can be exploited when NetScaler devices are configured for VPN or remote access, certain IPv6 web traffic, or performing specific content routing functions. While this vulnerability is complex to exploit, a successful attack could severely compromise a system’s confidentiality, integrity, and availability. Affected products include specific builds of NetScaler ADC and Gateway in the 12.1, 13.1, and 14.1 release lines.
CVE-2025-7776 can cause “unpredictable or erroneous” behavior or lead to a denial of service (DoS) condition.
CVE-2025-8424 can allow attackers to access sensitive data, perform unauthorized functions, and potentially gain control over parts of the affected system.
What are the recommendations?
Barracuda recommends the following actions to mitigate risks associated with these Citrix vulnerabilities:
- Upgrade to the fixed versions released by Citrix for NetScaler ADC and Gateway in the 12.1, 13.1, and 14.1 release lines.
- Examine logs for suspicious activity, especially on devices configured for VPN, AAA, IPv6 load balancing, or HDX content routing.
- Limit access to NSIP, Cluster Management IP, GSLB Site IP, and SNIP with management enabled to trust administrative networks only.
- Disable unnecessary management interfaces exposed to the internet.
- Disable unused virtual servers, especially those bound to IPv6 services, if not required.
- Review and remove unnecessary PCoIP profiles or content routing configurations.
Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End Of Life (EOL) and no longer supported. Citrix recommends that customers upgrade their appliances to a supported version that addresses the vulnerabilities.
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.