NetScaler ADC/Gateway: Citrix NetScaler memory overflow vulnerability leading to remote code execution or denial of service (CVE-2025-7775) #shorts
Summary
Hello and welcome to Cyber Alert Weekly. In today’s episode we’re diving into CVE-2025-7775, a critical memory overflow vulnerability in Citrix NetScaler ADC and Gateway appliances. Actively exploited in the wild and now cataloged by CISA, this zero-day flaw can lead to remote code execution or denial of service. We’ll break down what’s affected, how it works, and what you need to do right now.
Product details
This issue impacts Citrix NetScaler ADC and NetScaler Gateway versions 14.1, 13.1 (including FIPS and NDcPP builds), and 12.1 FIPS/NDcPP when running builds older than 47.48 on 14.1, 59.22 on 13.1, 37.241 on 13.1 FIPS/NDcPP, and 55.330 on 12.1 FIPS/NDcPP. A variety of virtual server types are affected, including VPN, ICA Proxy, CVPN, RDP Proxy, AAA, HTTP, SSL, HTTP_QUIC, IPv6-bound servicegroups, and HDX CR virtual servers.
Vulnerability type summary
CVE-2025-7775 is categorized under CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer. In plain terms, certain input lengths aren’t properly validated, allowing an attacker to overflow a buffer, corrupt memory, and seize control of the device or crash critical services.
Details of the vulnerability
When NetScaler is configured as a Gateway (such as VPN virtual servers or AAA servers) or hosts IPv6-bound load balancing services—HTTP, SSL, HTTP_QUIC or DBS servers—an attacker can send a specially crafted packet that overruns an internal buffer. Successful exploitation grants remote code execution or can trigger a denial of service. Reports indicate this flaw has been weaponized in targeted campaigns against U.S. corporations, prompting CISA to add it to its Known Exploited Vulnerabilities catalog. Citrix has released out-of-band patches to address this zero-day, alongside fixes for two additional NetScaler bugs.
Conclusion
If you run Citrix NetScaler ADC or Gateway, assume you’re vulnerable until you’ve applied the official patches. Upgrade immediately to the fixed builds—47.48 or later on 14.1, 59.22 or later on 13.1, and the corresponding FIPS/NDcPP updates. Review your VPN, ICA, RDP and IPv6 load balancing configurations, monitor logs for suspicious traffic, and consider isolating appliance management interfaces. That wraps up today’s alert—stay safe, and keep your infrastructure patched.
Watch the full video on YouTube: CVE-2025-7775
Remediation and exploitation details
This chain involves the following actors
- Malicious threat actor: Exploiter
- System administrator: Remediator
This following systems are involved
- Citrix NetScaler ADC (Application delivery controller): Primary target
- Citrix NetScaler Gateway (Secure remote access gateway): Primary target
Attack entry point
- VPN virtual server: Gateway mode with ICA Proxy or RDP Proxy enabled
- AAA virtual server: Authentication, authorization, and auditing endpoint
- HTTP/SSL load-balancing virtual server: Bound with IPv6 back-end services or service groups
- HDX virtual server: Citrix XenApp HDX traffic endpoint
Remediation actions
Exploitation actions
Banner grab and fingerprinting
- Send an HTTPS GET / request to the appliance and read version info from the response header.
- Use automated script to scan IP range for Citrix logos and version strings.
Custom exploit code assembly
- Compile proof-of-concept code that allocates a large memory buffer.
- Embed overflow payload that overwrites function return pointer.
Oversized request to bound IPv6 service
- Send a crafted HTTP header field over 65,536 bytes to an IPv6-bound SSL virtual server.
- Submit a malformed AAA login request with excessive attribute length.
Return-oriented programming in overflowed stack
- Overwrite saved instruction pointer to jump to shell-binding payload.
- Spawn a remote shell on TCP port 4444 for arbitrary command execution.
Heap corruption and service crash
- Send repeated overflow attempts to exhaust memory and crash the management service.
- Flood the vserver with malformed HDX packets to force appliance reboot.
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938
- [2025-08-27] Citrix releases patches for a zero-day RCE vulnerability in NetScaler ADC and Gateway appliances that has been exploited in the wild.
- [2025-08-27] CISA adds CVE-2025-7775 Citrix NetScaler Memory Overflow Vulnerability to its KEV Catalog due to active exploitation.
- [2025-08-26] Citrix releases patches for three NetScaler vulnerabilities, including one actively exploited.
- [2025-08-26] Three new vulnerabilities in Citrix NetScaler ADC/Gateway, including a zero-day exploit, have been disclosed and patched.