Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Unauthenticated RCE in Citrix NetScaler ADC and Gateway

IdentifiersCVE-2025-7775CWE-120

CVE-2025-7775 is a critical memory overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway that can lead to remote code execution and/or denial of service. The flaw affects only specific appliance configurations identified by Citrix: NetScaler configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server; LB virtual servers of type HTTP, SSL, or HTTP_QUIC bound with IPv6 services or service groups bound with IPv6 servers; LB virtual servers of the same types bound with DBS IPv6 services or service groups bound with IPv6 DBS servers; or a CR virtual server with type HDX. Citrix and multiple secondary reports describe the issue as exploitable without authentication, and Citrix stated exploitation was observed prior to public advisory and patch release. The vulnerable branches include NetScaler ADC and Gateway 14.1 before 14.1-47.48, 13.1 before 13.1-59.22, NetScaler ADC 13.1-FIPS/NDcPP before 13.1-37.241, and NetScaler ADC 12.1-FIPS/NDcPP before 12.1-55.330; standard 12.1 and 13.0 releases are end-of-life and remain vulnerable.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow arbitrary code execution on the affected NetScaler appliance and can also cause a denial-of-service condition. Because the affected products are edge devices commonly used for remote access and application delivery, compromise can provide an attacker with control of a high-value perimeter system, enabling follow-on activity such as webshell deployment, persistence, traffic interception or manipulation, credential theft, and broader intrusion into internal environments. Citrix stated the vulnerability was actively exploited in the wild before disclosure.

Mitigation

If you can’t patch tonight, do this now.

According to the Citrix advisory, no workarounds or mitigating factors are available for CVE-2025-7775. The practical mitigation is to identify whether the appliance is deployed in one of the vulnerable configurations and upgrade to a fixed release as soon as possible. Given reported in-the-wild exploitation, organizations should also investigate affected devices for signs of compromise after patching.

Remediation

Patch, then assume compromise.

Upgrade affected appliances to fixed versions immediately: NetScaler ADC and NetScaler Gateway 14.1-47.48 or later, 13.1-59.22 or later, NetScaler ADC 13.1-FIPS/NDcPP 13.1-37.241 or later, and NetScaler ADC 12.1-FIPS/NDcPP 12.1-55.330 or later. Appliances running end-of-life standard releases 12.1 or 13.0 should be migrated to a supported fixed branch. Secure Private Access on-prem and Hybrid deployments using affected NetScaler instances should also be updated accordingly.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 4 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 4 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Citrix SystemsNetscaler Application Delivery Controllerapplication
Citrix SystemsNetscaler Gatewayapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

221 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

221 SOURCESView more in app
the hacker newsNews
Mar 28, 2026
Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug

A NetScaler vulnerability that the content says has come under active exploitation in the wild.

Read more
the hacker newsNews
Mar 24, 2026
Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks

A previously disclosed NetScaler vulnerability referenced as having been repeatedly exploited by threat actors.

Read more
cyberthroneNews
Mar 24, 2026
CVE-2026-3055 - Citrix NetScaler Critical SAML IDP Memory Leak - TheCyberThrone

A previously disclosed NetScaler vulnerability referenced as having been repeatedly exploited by threat actors.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

A Citrix NetScaler ADC/Gateway memory overflow vulnerability leading to RCE and/or DoS, confirmed exploited in the wild.

Read more
+8 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware3

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity188

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-7775
NVD
nvd.nist.gov/vuln/detail/CVE-2025-7775
MITRE CWE · CWE-120
cwe.mitre.org
Vendor Advisory
support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-7775