The critical vulnerability in Citrix NetScaler affects more than 21,500 systems worldwide. CVE-2025-7775 is already being actively exploited by attackers, with 9,052 vulnerable instances located in Europe.
The US cybersecurity organization CISA has added the NetScaler leak to its Known Exploited Vulnerabilities catalog, underscoring the seriousness of the situation. Due to the urgency, US federal agencies have until today (August 28) to install the patches or take the affected products out of service. The Dutch National Cyber Security Center has also issued a warning about the latest NetScaler vulnerability.
The fact that CVE-2025-7775 is already being actively exploited by attackers necessitates immediate action. However, Citrix has not shared any indicators of compromise, which makes it difficult to detect any compromises.
Large-scale exposure
Internet scans by security platform The Shadowserver Foundation show that 21,534 Citrix instances worldwide are currently vulnerable to the critical CVE-2025-7775 vulnerability. Most vulnerable instances are located in the United States (7,626), followed by Germany (3,196) and the United Kingdom (1,186). The Netherlands has 475 vulnerable systems, and Switzerland has 822.
Of these systems, 9,052 are located in Europe. The vulnerability concerns a remote code execution error in NetScaler ADC and NetScaler Gateway. These systems are widely used for access management and VPN connectivity in corporate environments.
Affected versions and configurations
CVE-2025-7775 affects various NetScaler versions: 14.1 for 14.1-47.48, 13.1 for 13.1-59.22, 13.1-FIPS/NDcPP for 13.1-37.241-FIPS/NDcPP, and 12.1-FIPS/NDcPP up to 12.1-55.330-FIPS/NDcPP.
The leak manifests itself when NetScaler is configured as a Gateway/AAA virtual server for VPN, ICA Proxy, CVPN, or RDP Proxy. Systems running as load balancer virtual servers bound to IPv6 or DBS IPv6 services may also be affected.
Required actions
Citrix has now released patches to fix the problem and does not offer any workarounds or mitigations. The company urges administrators to upgrade to the patched versions immediately: 14.1-47.48, 13.1-59.22, 13.1-37.241 for FIPS/NDcPP variants, or 12.1-55.330 for 12.1-FIPS/NDcPP.
In addition to the critical remote code execution vulnerability, Citrix has addressed two other high-severity flaws: CVE-2025-7776 (memory overflow denial-of-service) and CVE-2025-8424 (inadequate access control on the management interface).
Versions 12.1 and 13.0 (non-FIPS/NDcPP) are also vulnerable but have reached end-of-life status. Users of these versions are advised to switch to supported releases.
The widespread use of NetScaler systems in enterprise environments makes this vulnerability particularly dangerous. These devices are often located at the edge of corporate networks and manage critical functions such as authentication and access control to sensitive corporate assets.