Citrix NetScaler RCE Vulnerability Exploited in Zero-Day Attacks

On August 26, Citrix fixed three vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway), including a critical remote code execution (RCE) flaw (tracked as CVE-2025-7775), which was actively exploited as a zero-day vulnerability.

In addition to RCE, this memory overflow vulnerability could also lead to a denial-of-service (DoS) attack by an unauthenticated threat actor. Over 28,200 instances remain exposed and are vulnerable, according to Shadowserver.

Citrix has not provided mitigations or workarounds but directed affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.

What happened?

Citrix NetScaler is a web application delivery controller (ADC) that can make applications run more efficiently. It functions as a gateway to allow different levels of user access and, depending on its configuration, can act as a load balancer, web application firewall (WAF), virtual private network (VPN), and more.

Both Citrix and the US Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the vulnerability (CVSS score: 9.2) was exploited as a zero-day before disclosure.

The following supported versions of NetScaler ADC and NetScaler Gateway are affected: 

• NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.48

• NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.22

• NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.241-FIPS and NDcPP

• NetScaler ADC 12.1-FIPS and NDcPP BEFORE 12.1-55.330-FIPS and NDcPP

Secure Private Access on-premises or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities.

Both Citrix and the CISA confirmed that the vulnerability was exploited as a zero-day before disclosure.

How do businesses address this?

Affected customers of NetScaler ADC and NetScaler Gateway should install the relevant updated versions as soon as possible:

• NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases

• NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1

• NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.241 and later releases of 13.1-FIPS and 13.1-NDcPP

• NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP

NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now end-of-life (EOL) and no longer supported. Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

Who's at risk?

Among Coalition policyholders notified about this vulnerability, businesses in the healthcare (29%) and professional services (14%) industries were most impacted. The highest proportion of impacted policyholders had more than 1,000 employees (~29%).

According to Shadowserver, 36% of the internet-exposed Citrix systems impacted were located in the US. 

This new vulnerability follows Citrix's disclosure in June of a vulnerability dubbed "Citrix Bleed 2," which allows attackers to access sensitive information stored in memory. This discovery contributed to Citrix moving up 62 places (to rank #69) in Coalition’s most recent Risky Tech Ranking. Citrix products had nearly 23% more published vulnerabilities in Q2 2025 versus Q1 2025. 

Among Coalition policyholders notified about this vulnerability, businesses in the healthcare (29%) and professional services (14%) industries were most impacted.

How is Coalition responding?

Within hours of disclosure, Coalition notified any impacted policyholders on Tuesday, August 26. Coalition policyholders can log in to Coalition Control® for the latest updates. Coalition also recommends that policyholders follow the latest guidance from Citrix.

We continue to closely monitor the situation. For any questions about this vulnerability or assistance with mitigation, please contact Coalition’s Security Support Center at securitysupport@coalitioninc.com.

PREVENT MORE CYBER INCIDENTS. RESPOND FAST.

Round-The-Clock Threat Detection & Response 

See how Coalition MDR works for your business >

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with your use or reliance upon the information. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over, nor assumes responsibility or liability for the content, privacy policy, or practices of any such third-party websites.

Copyright © 2025. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.