External risk intelligence

Citrix NetScaler Remote Code Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2025-7775

A memory overflow vulnerability affects NetScaler ADC and NetScaler Gateway, potentially allowing remote code execution and denial of service. This poses a business risk by enabling unauthorized access and service disruption on exposed systems.

5Halo Surface Signal

Memory Corruption

Citrix Netscaler Application Delivery Controller

12.1 to before 12.1-55.33013.1 to before 13.1-37.24113.1 to before 13.1-59.2214.1 to before 14.1-47.48

External exposure likelihood

Halo Surface Signal score for CVE-2025-7775

The vulnerability affects NetScaler Gateway and ADC appliances when configured for VPN, ICA Proxy, or other virtual server roles. These components are designed as edge services and internet-facing gateways, making them publicly exposed by design in normal deployments to facilitate remote access and traffic management.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

The NetScaler ADC and NetScaler Gateway products are affected by a memory overflow vulnerability. This flaw can enable attackers to execute code remotely or cause denial-of-service conditions on the affected systems. The impact can disrupt operations and compromise system integrity.

  • NetScaler ADC and Gateway
  • Memory overflow allows code execution
  • Remote code execution or denial of service

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to execute arbitrary code or cause a denial of service on affected NetScaler appliances. The attack is possible when NetScaler is configured as a Gateway or when specific load balancing virtual server configurations involving IPv6 services or DBS IPv6 servers are in place. This could lead to unauthorized access, disruption of services, and compromise of sensitive data.

  • External network exposure is required.
  • Attacker gains access remotely.
  • Triggering action leads to control.

Live Threat

Current exploitation, exposure, and threat context

A memory overflow vulnerability exists in NetScaler ADC and NetScaler Gateway. This vulnerability could allow for remote code execution or denial of service. The impact depends on specific configurations, including the use of Gateway or AAA virtual servers, or specific load balancing virtual server configurations with IPv6 services. This situation presents a significant risk to affected organizations, potentially leading to system compromise or disruption.

  • Attackers with moderate skill.
  • Publicly exposed NetScaler appliances.
  • High business risk; treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in NetScaler ADC and NetScaler Gateway could allow unauthorized code execution or disrupt service. Organizations should prioritize identifying and securing affected systems. The vendor has provided updates, and verifying their successful application is crucial to mitigate risk.

  • Find affected NetScaler assets.
  • Reduce exposure or isolate risk.
  • Fix, verify, and monitor.

Frequently asked questions

What is NetScaler ADC and NetScaler Gateway, and what are their functions?

NetScaler ADC (Application Delivery Controller) and NetScaler Gateway are Citrix products designed to manage, secure, and optimize application traffic. They function as gateways, ensuring application availability, performance, and protection against threats, commonly used for remote access and load balancing.

What type of weakness does CVE-2025-7775 represent?

CVE-2025-7775 is classified as a memory overflow vulnerability. This occurs when a program attempts to store data in memory but has not allocated sufficient space, allowing data to exceed its boundaries and potentially corrupt adjacent memory, leading to unintended operations or system instability.

How can CVE-2025-7775 be exploited, and what is the scope of the impact?

Exploitation is possible remotely over the network when NetScaler is configured as a Gateway (e.g., VPN, ICA Proxy) or AAA virtual server. It also affects specific load balancing virtual server configurations using IPv6 services or DBS IPv6 servers. The scope includes Remote Code Execution and/or Denial of Service, with potential for data compromise and service disruption.

What is the relevance of CVE-2025-7775, and why is it considered externally exposed?

This vulnerability is highly relevant as it affects critical NetScaler Gateway and ADC functions used for remote access and traffic management. Halo classifies it as externally exposed because these components are inherently internet-facing in typical deployments, increasing the likelihood of an attack.

What practical steps should be taken to address CVE-2025-7775?

Organizations must identify all affected NetScaler assets, reduce their exposure or isolate any identified risks, and apply vendor-provided updates. Verification of successful patching is essential for mitigation, followed by ongoing monitoring to ensure continued security.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified