A critical zero-day vulnerability, CVE-2025-7775, has been actively exploited in the wild, affecting Citrix NetScaler ADC and NetScaler Gateway devices. The vulnerability, which has been assigned a CVSS score of 9.8, allows for remote code execution and denial of service attacks when NetScaler is configured as a Gateway or AAA virtual server. This includes configurations such as VPN virtual servers, ICA Proxy, CVPN, and RDP Proxy.
The flaw, categorized under CWE-119, is a memory overflow vulnerability that attackers have leveraged even before its official disclosure, marking it as a zero-day exploit. The vulnerability was publicly disclosed and patched by Citrix on August 26, 2025, but attackers had already been exploiting it, underscoring the urgency for organizations to apply the patch immediately.
The exploitation of CVE-2025-7775 has been confirmed, with multiple proof-of-concept (PoC) exploits available, increasing the risk of widespread attacks. The vulnerability's inclusion in the Known Exploited Vulnerabilities (KEV) catalog on the same day as its disclosure highlights its critical nature and the immediate need for defensive measures.
Citrix has released patches for the affected versions, which include NetScaler ADC and Gateway versions 13.1, 14.1, and 13.1-FI. Organizations using these versions should prioritize patching to mitigate the risk of exploitation. The Security Severity Vulnerability Classification (SSVC) for this vulnerability is marked as "act," indicating that immediate action is necessary to protect systems from potential compromise.
The exploitation of this vulnerability can lead to severe consequences, including unauthorized access to sensitive data, disruption of services, and potential lateral movement within affected networks. Security teams are advised to review their NetScaler configurations and ensure that patches are applied without delay.
Given the critical nature of CVE-2025-7775 and its active exploitation, organizations should also consider implementing additional security measures such as network segmentation, enhanced monitoring, and intrusion detection systems to detect and respond to any suspicious activity promptly.
As attackers continue to exploit this vulnerability, the cybersecurity community must remain vigilant and proactive in applying patches and monitoring for any signs of compromise. The availability of multiple PoC exploits further emphasizes the need for immediate action to safeguard against potential attacks.
CSURFACE