Citrix CVE-2025-7775 Under Active Attack
The vulnerability (CVE-2025-7775) is a buffer overflow that can lead to remote code execution and attackers were already targeting it before the public disclosure.
The critical Citrix NetScaler ADC vulnerability disclosed on Aug. 26 is being exploited in the wild and there are more than 28,000 unpatched servers exposed to the internet currently.
The vulnerability (CVE-2025-7775) is a buffer overflow that can lead to remote code execution and attackers were already targeting it before the public disclosure. Researchers at the Shadowserver Foundation on Aug. 27 found more than 28,000 vulnerable NetScaler ADC servers online, more than 10,000 of which are in the United States.
Citrix has released a fix for this bug, along with two other vulnerabilities that were disclosed at the same time. CISA has added the flaw to its Known Exploited Vulnerabilities catalog, as well.
“As of August 26, 2025 Cloud Software Group has reason to believe that exploits of CVE-2025-7775 on unmitigated appliances have been observed, and strongly recommends customers to upgrade their NetScaler firmware to the versions containing the fix as there are no mitigations available to protect against a potential exploit,” said Cloud Software Group, which owns Citrix.
In order for the vulnerability to be exploitable, the NetScaler ADC appliance must be configured as a gateway or a AAA server, and there are some other pre-conditions for exploitability as well. But that hasn’t deterred attackers from targeting the flaw so far.
“While the Citrix advisory only explicitly mentions active exploitation of CVE-2025-7775, management interfaces for firewalls and security gateways have been targeted en masse in recent threat campaigns. It's likely that exploit chains targeting these vulnerabilities in the future may try to combine an initial access flaw like CVE-2025-7775 with a flaw like CVE-2025-8424 with management interface compromise as a goal. Vulnerability response prioritization should include CVE-2025-8424 rather than being limited to the higher-severity (but harder-to-exploit) memory corruption CVEs alone,” Caitlin Condon of VulnCheck said.
Organizations should prioritize installing the update for CVE-2025-7775 as quickly as possible.
Note: Cisco and Duo are no longer affiliated with Decipher. All opinions and content provided here from April 11 are solely that of Decipher and do not reflect opinions or content of Cisco Systems, Inc. or any of its affiliates.
Recent Comments
No comments to show.