Citrix NetScaler customers hit by third actively exploited zero-day vulnerability since June
Citrix and cybersecurity researchers warn a critical, zero-day vulnerability affecting multiple versions of Citrix NetScaler products is under active exploitation. Citrix issued a security bulletin about the vulnerability — CVE-2025-7775 — and urged customers on affected versions to install upgrades Tuesday.
The memory-overflow vulnerability, which has an initial CVSS rating of 9.2, can be exploited to achieve remote-code execution or denial of service. Citrix disclosed two additional defects Tuesday, including CVE-2025-7776, another memory-overlow vulnerability affecting Citrix NetScaler ADC and its virtual private network NetScaler Gateway, and CVE-2025-8424, which affects the management interface for the products.
Citrix products have been widely targeted in previous attack sprees. The vendor has disclosed three actively exploited zero-day vulnerabilities since mid-June, including CVE-2025-6543 and CVE-2025-5777, which threat hunters likened to “CitrixBleed,” or CVE-2023-4966, which affected the same products.
The Cybersecurity and Infrastructure Security Agency added CVE-2025-7775 to its known exploited vulnerabilities catalog Tuesday. The vendor has appeared on the agency’s list of vulnerabilities known to be exploited seven times this year, and a total of 21 times since late 2021.
Ben Harris, CEO at watchTowr said the new Citrix zero-day has already been actively exploited to deploy backdoors, facilitating total compromise. “Patching is critical, but patching alone won’t cut it,” he said in an email. “Unless organizations urgently review for signs of prior compromise and deployed backdoors, attackers will still be inside.”
While the memory-corruption vulnerability defect is severe, its impact differs from the zero-days Citrix disclosed earlier this summer, according to Harris. “Each of these vulnerabilities presents unique risks, but all share the potential for significant exploitation,” he added.
Citrix said the vulnerability also affects older versions of NetScaler ADC and NetScaler Gateway, including versions 12.1 and 13.0, that are end of life and no longer supported with security updates. The vendor advised customers to upgrade their appliances to a newer, supported version to address the vulnerabilities.
Scott Caveza, senior staff research engineer at Tenable, said these outdated versions of the affected products are still widely used, calling them “ticking time bombs” due to the heightened attacker interest in Citrix vulnerability exploitation. Nearly 1 in 5 NetScaler assets identified in Tenable’s telemetry data are on supported versions, he said.
Citrix and researchers haven’t detailed the extent to which the new zero-day has been actively exploited, but researchers are concerned “It’s very likely that ransomware gangs or other advanced persistent threat groups will soon capitalize on this flaw,” Caveza said.
Less than a month after Citrix disclosed CVE-2025-5777, researchers observed more than 11.5 million attack attempts targeting thousands of sites.
“The reality is, critical software will always attract attackers,” Harris said.
“Some vulnerabilities are a natural part of life in complex software and are thus forgivable,” he said. “When trivial flaws repeatedly allow total compromise with little defender recourse — this veers quickly into unforgivable territory.”
