More than 28,200 Citrix instances are vulnerable to a critical remote code execution vulnerability tracked as CVE-2025-7775 that is already being exploited in the wild.
The vulnerability affects NetScaler ADC and NetScaler Gateway and the vendor addressed it in updates released yesterday.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Citrix, the security issue has been exploited as a zero-day vulnerability.
The versions affected by CVE-2025-7775 are 14.1 before 14.1-47.48, 13.1 before13.1-59.22, 13.1-FIPS/NDcPP before 13.1-37.241-FIPS/NDcPP, and 12.1-FIPS/NDcPP up to 12.1-55.330-FIPS/NDcPP.
Citrix does not provide any mitigations or workarounds and urges admins to upgrade the firmware immediately.
Internet scans conducted by the threat monitoring platform The Shadowserver Foundation soon after the flaw was disclosed show that there were more than 28,000 Citrix instances vulnerable to CVE-2025-7775.
Most of the vulnerable instances are located in the United States (10,100), followed by Germany (4,300), the United Kingdom (1,400), the Netherlands (1,300), Switzerland (1,300), Australia (880), Canada (820), and France (600).
Citrix did not share indicators of compromise associated with the exploitation activity.
However, the vendor specifies that CVE-2025-7775 affects NetScaler when configured as a Gateway/AAA virtual server (VPN, ICA Proxy, CVPN, RDP Proxy), as LB virtual servers (HTTP/SSL/HTTP_QUIC) bound to IPv6 or DBS IPv6 services, or as a CR virtual server with type HDX.
In any case, admins are recommended to upgrade to one of the following releases, which address the issue:
- 14.1-47.48 and later
- 13.1-59.22 and later
- 13.1-FIPS / 13.1-NDcPP 13.1-37.241 and later
- 12.1-FIPS / 12.1-NDcPP 12.1-55.330 and later
Citrix also disclosed two other, high-severity flaws in its security bulletin: CVE-2025-7776 (memory overflow denial-of-service) and CVE-2025-8424 (improper access control on the management interface).
It is noted that versions 12.1 and 13.0 (non-FIPS/NDcPP) are also vulnerable; however, they have reached End of Life status, so customers still using these versions must upgrade to a supported release.
CISA has already added the critical CVE-2025-7775 vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. The agency is giving federal agencies until August 28 to apply the patches from the vendor or quit using the affected products, underlining the severity of the issue and the risk associated with exploitation.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
