Over 28,000 Citrix Devices Exposed to Newly Exploited Remote Code Execution Vulnerability

More than 28,200 Citrix instances are currently vulnerable to a critical remote code execution vulnerability identified as CVE-2025-7775, which is already being exploited in the wild. This vulnerability impacts NetScaler ADC and NetScaler Gateway, with Citrix releasing updates to address the issue. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has classified this security flaw as a zero-day vulnerability. Affected versions include 14.1 prior to 14.1-47.48, 13.1 prior to 13.1-59.22, 13.1-FIPS/NDcPP before 13.1-37.241-FIPS/NDcPP, and 12.1-FIPS/NDcPP up to 12.1-55.330-FIPS/NDcPP. Citrix has not provided any mitigations or workarounds and strongly advises administrators to upgrade their firmware immediately.

Internet scans conducted by The Shadowserver Foundation revealed that the majority of vulnerable instances are located in the United States (10,100), followed by Germany (4,300), the United Kingdom (1,400), and several other countries. Citrix has not disclosed indicators of compromise related to the exploitation activity. The vulnerability affects NetScaler when configured as a Gateway/AAA virtual server, LB virtual servers bound to IPv6, or as a CR virtual server with type HDX. Administrators are urged to upgrade to the following releases: 14.1-47.48 and later, 13.1-59.22 and later, 13.1-FIPS/NDcPP 13.1-37.241 and later, and 12.1-FIPS/NDcPP 12.1-55.330 and later. Additionally, Citrix has identified two other high-severity flaws: CVE-2025-7776 and CVE-2025-8424. CISA has added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply the necessary patches by August 28 or discontinue use of the affected products. 

Categories: Vulnerability Management, Cybersecurity Threats, Software Updates 

Tags: Citrix, CVE-2025-7775, Vulnerability, Remote Code Execution, NetScaler, Zero-Day, Firmware, Exploitation, CISA, Security