Citrix warns of serious vulnerabilities in its NetScaler ADC and NetScaler Gateway. The company published three critical flaws, one of which, designated as zero-day, is already being actively exploited.
The most alarming vulnerability, CVE-2025-7775, is a memory overflow that allows attackers to take over systems. Or even shut them down completely via a denial-of-service attack. This leak can only be exploited on NetScaler devices that are set up for VPN or remote access, or that process certain IPv6 web traffic or content routing. Citrix has rated its severity at 9.2 on the CVSS scale. Although exploitation is technically complex, the company warns that a successful attack could have a far-reaching impact on the confidentiality, integrity, and availability of systems. Cases of exploitation on unpatched devices have already been detected. Citrix strongly advises customers to install the available updates immediately.
In addition to this zero-day, Citrix has addressed two other vulnerabilities. The first concerns a memory handling error that can lead to unpredictable behavior or a DoS situation. The second concerns inadequate access control that could allow attackers to gain access to sensitive data and functions within the system. Both errors score high on the CVSS scale (8.8 and 8.7).
NCSC issues warning
The Dutch National Cyber Security Center (NCSC) warns that this is not merely hypothetical. The vulnerable configuration is found in many Citrix environments, making large-scale abuse highly likely.
Researchers see parallels with previous incidents such as the CitrixBleed vulnerability from 2023 and its successor CitrixBleed2, which affected similar components and were exploited on a massive scale by ransomware groups, among others. Although the new flaws affect the same areas, they emphasize that these are independent vulnerabilities.
The situation is particularly worrying because many NetScaler installations run on outdated, unsupported software. Analyses show that almost 20% of these systems in the Netherlands and internationally are end-of-life versions—ticking time bombs that, given the recent history of exploitation, are extremely dangerous.
NetScaler devices are attractive targets because they operate at the network edge and are responsible for authentication and access to critical business resources. Many large organizations rely on them, increasing the potential for large-scale attacks. The fact that the US CISA has now included ten Citrix vulnerabilities in its Known Exploited Vulnerabilities catalog, six of which were added in the past two years, underscores the ongoing risk.