Citrix Patches Trio Of Netscaler Bugs – After Attackers Beat Them To It
Citrix has pushed out fixes for three fresh NetScaler holes – and yes, they’ve already been used in the wild before the vendor got around to patching.
The flaws, tracked as CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424, affect NetScaler ADC and NetScaler Gateway appliances.
Security researcher Kevin Beaumont confirmed that they’ve been used as zero-days, meaning attackers were inside before the vendor’s patch cycle caught up. He singled out CVE-2025-7775 as “the main problem” – a pre-auth remote code execution bug that’s being abused to drop webshells and backdoor appliances. Citrix itself describes it as a memory overflow bug that can be abused for remote code execution or denial of service, and it’s been slapped with a CVSS score of 9.2
Beaumont added that affected organizations will likely need to carry out incident response, given the risk of persistent access after exploitation.
In a security bulletin on Tuesday, Citrix admitted that CVE-2025-7775 has already been exploited on unpatched appliances. The company hasn’t answered our questions about how widespread the attacks are, leaving the scale of the break-ins a mystery for now.
The bugs arrive on the back of a bruising summer for Citrix. The vendor has already dealt with CVE-2025-6543, a memory overflow flaw rated 9.2 on the CVSS scale, which turned into a live exploit before fixes were widely applied. And there’s CVE-2025-5777, dubbed CitrixBleed 2 by Beaumont, a memory overread echo of the infamous 2023 CitrixBleed mess.
Citrix’s bare-bones advisory offers little comfort: patch now or brace for impact, with no workarounds on offer. Those clinging to end-of-life builds like NetScaler 12.0 or 13.0 are out of luck entirely, as fixes won’t be coming. The company also confirmed that on-prem and hybrid deployments of Secure Private Access – the zero-trust tool meant to let staff reach internal apps without dumping them straight onto the internet – are caught in the blast radius.
Citrix tossed a nod to the bug hunters who dug up the flaws: Horizon3.ai’s Jimi Sebree, Schramm & Partner’s Jonathan Hetzer, and independent researcher François Hämmerli.
This latest patch dump is unlikely to calm nerves. NetScaler appliances remain prime targets thanks to their positioning in enterprise networks, which makes them irresistible to ransomware crews and state-sponsored operators alike. If CitrixBleed proved anything, it’s that criminals are quick to weaponize these flaws at scale. ®
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
