Three critical vulnerabilities in Citrix's NetScaler product have been addressed with updates, as evidence suggests that these flaws are currently being actively exploited.
In a significant development for cybersecurity, Citrix has released patches for three zero-day vulnerabilities in its NetScaler ADC and Gateway products. These vulnerabilities, tracked as CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424, are all considered critical and have been added to the Known Exploited Vulnerabilities (KEV) catalog by the US Cybersecurity and Infrastructure Security Agency (CISA).
The flaws include two memory overflow vulnerabilities and an improper access control on the NetScaler Management Interface. Independent security researcher Kevin Beaumont, who dubbed CVE-2025-7775 as 'CitrixDeelb,' has stated that it is being used for pre-authentication remote code execution (RCE) to drop webshells and backdoor organizations.
The vulnerabilities affect several versions of NetScaler ADC and NetScaler Gateway. Specifically, the following systems are vulnerable: NetScaler ADC and NetScaler Gateway 14.1 before 14.1-47.48, NetScaler ADC and NetScaler Gateway 13.1 before 13.1-59.22, NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.241-FIPS and NDcPP, and NetScaler ADC 12.1-FIPS and NDcPP before 12.1-55.330-FIPS and NDcPP.
Before Citrix released patches for these vulnerabilities, no specific organizations publicly disclosed exploiting these flaws. However, Citrix itself reported active exploitation of the critical vulnerability CVE-2025-7775 by attackers, indicating observed attack attempts prior to patch availability.
In an alarming finding, Beaumont reported that 84% of affected appliances were vulnerable as of August 26. The Shadowserver Foundation also observed at least 28,000 unpatched Citrix NetScaler instances vulnerable to the CVE-2025-7775 RCE vulnerability as of the same date.
The exploitation of these vulnerabilities could lead to a range of malicious activities, including unauthorised access, data theft, and system compromise. Therefore, Citrix urges users to upgrade to one of the patched versions.
NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases of 13.1 are now considered supported. Similarly, NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases are now supported. Additionally, NetScaler ADC 12.1-FIPS and 12.1-NDcPP 12.1-55.330 and later releases of 12.1-FIPS and 12.1-NDcPP are now supported.
Exploit campaigns for memory corruption vulnerabilities like CVE-2025-7775 and CVE-2025-7776 are likely coming from sophisticated threat actors, possibly including nation-state groups. Therefore, it is crucial for organisations to prioritise patching CVE-2025-8424, which is a secondary vulnerability.
Secure Private Access on-prem or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. As such, organisations using these services are advised to apply the patches promptly.
In a recent advisory, CISA urged US federal agencies to apply patches for CVE-2025-7775 by August 28. Given the severity and widespread nature of these vulnerabilities, it is advisable for all organisations using Citrix NetScaler to apply the patches as soon as possible.
