Citrix patches trio of NetScaler bugs – after attackers beat them to it
(2025/08/26)
- Reference: 1756222806
- News link: https://www.theregister.co.uk/2025/08/26/citrix_patches_trio_of_netscaler/
- Source link:
Citrix has pushed out fixes for three fresh NetScaler holes – and yes, they've already been used in the wild before the vendor got around to patching.
The flaws, tracked as CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424, affect NetScaler ADC and NetScaler Gateway appliances.
Security researcher Kevin Beaumont [1]confirmed that they've been used as zero-days, meaning attackers were inside before the vendor's patch cycle caught up. He singled out CVE-2025-7775 as "the main problem" – a pre-auth remote code execution bug that's being abused to drop webshells and backdoor appliances. Citrix itself describes it as a memory overflow bug that can be abused for remote code execution or denial of service, and it's been slapped with a CVSS score of 9.2
[2]
Beaumont added that affected organizations will likely need to carry out incident response, given the risk of persistent access after exploitation.
[3]
[4]
In a [5]security bulletin on Tuesday , Citrix admitted that CVE-2025-7775 has already been exploited on unpatched appliances. The company hasn't answered our questions about how widespread the attacks are, leaving the scale of the break-ins a mystery for now.
The bugs arrive on the back of a bruising summer for Citrix. The vendor has already dealt with CVE-2025-6543, a memory overflow flaw rated 9.2 on the CVSS scale, which turned into a live exploit before fixes were widely applied. And there's CVE-2025-5777, dubbed [6]CitrixBleed 2 by Beaumont, a memory overread echo of the infamous 2023 CitrixBleed mess.
[7]Ransomware crews don't care about your endpoint security – they've already killed it
[8]Major outage at Pennsylvania Attorney General's Office blamed on 'cyber incident'
[9]Now everybody but Citrix agrees that CitrixBleed 2 is under exploit
[10]'Infuriated', 'disappointed' ... Ex-VMware customers explain why they migrated to Nutanix
Citrix's bare-bones advisory offers little comfort: patch now or brace for impact, with no workarounds on offer. Those clinging to end-of-life builds like NetScaler 12.0 or 13.0 are out of luck entirely, as fixes won't be coming. The company also confirmed that on-prem and hybrid deployments of Secure Private Access – the zero-trust tool meant to let staff reach internal apps without dumping them straight onto the internet – are caught in the blast radius.
Citrix tossed a nod to the bug hunters who dug up the flaws: Horizon3.ai's Jimi Sebree, Schramm & Partner's Jonathan Hetzer, and independent researcher François Hämmerli.
[11]
This latest patch dump is unlikely to calm nerves. NetScaler appliances remain prime targets thanks to their positioning in enterprise networks, which makes them irresistible to ransomware crews and state-sponsored operators alike. If CitrixBleed proved anything, it's that criminals are quick to weaponize these flaws at scale. ®
Get our [12]Tech Resources
[1] https://mastodon.social/@GossiTheDog@cyberplace.social/115095063921897298
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aK3aHCyOs7CxP-czG1FMpQAAAMA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK3aHCyOs7CxP-czG1FMpQAAAMA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK3aHCyOs7CxP-czG1FMpQAAAMA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleTitle=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424
[6] https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/
[7] https://www.theregister.com/2025/08/14/edr_killers_ransomware/
[8] https://www.theregister.com/2025/08/12/major_outage_at_pennsylvania_attorney/
[9] https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/
[10] https://www.theregister.com/2025/05/08/vmware_migrations_why_nutanix/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK3aHCyOs7CxP-czG1FMpQAAAMA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
The flaws, tracked as CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424, affect NetScaler ADC and NetScaler Gateway appliances.
Security researcher Kevin Beaumont [1]confirmed that they've been used as zero-days, meaning attackers were inside before the vendor's patch cycle caught up. He singled out CVE-2025-7775 as "the main problem" – a pre-auth remote code execution bug that's being abused to drop webshells and backdoor appliances. Citrix itself describes it as a memory overflow bug that can be abused for remote code execution or denial of service, and it's been slapped with a CVSS score of 9.2
[2]
Beaumont added that affected organizations will likely need to carry out incident response, given the risk of persistent access after exploitation.
[3]
[4]
In a [5]security bulletin on Tuesday , Citrix admitted that CVE-2025-7775 has already been exploited on unpatched appliances. The company hasn't answered our questions about how widespread the attacks are, leaving the scale of the break-ins a mystery for now.
The bugs arrive on the back of a bruising summer for Citrix. The vendor has already dealt with CVE-2025-6543, a memory overflow flaw rated 9.2 on the CVSS scale, which turned into a live exploit before fixes were widely applied. And there's CVE-2025-5777, dubbed [6]CitrixBleed 2 by Beaumont, a memory overread echo of the infamous 2023 CitrixBleed mess.
[7]Ransomware crews don't care about your endpoint security – they've already killed it
[8]Major outage at Pennsylvania Attorney General's Office blamed on 'cyber incident'
[9]Now everybody but Citrix agrees that CitrixBleed 2 is under exploit
[10]'Infuriated', 'disappointed' ... Ex-VMware customers explain why they migrated to Nutanix
Citrix's bare-bones advisory offers little comfort: patch now or brace for impact, with no workarounds on offer. Those clinging to end-of-life builds like NetScaler 12.0 or 13.0 are out of luck entirely, as fixes won't be coming. The company also confirmed that on-prem and hybrid deployments of Secure Private Access – the zero-trust tool meant to let staff reach internal apps without dumping them straight onto the internet – are caught in the blast radius.
Citrix tossed a nod to the bug hunters who dug up the flaws: Horizon3.ai's Jimi Sebree, Schramm & Partner's Jonathan Hetzer, and independent researcher François Hämmerli.
[11]
This latest patch dump is unlikely to calm nerves. NetScaler appliances remain prime targets thanks to their positioning in enterprise networks, which makes them irresistible to ransomware crews and state-sponsored operators alike. If CitrixBleed proved anything, it's that criminals are quick to weaponize these flaws at scale. ®
Get our [12]Tech Resources
[1] https://mastodon.social/@GossiTheDog@cyberplace.social/115095063921897298
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aK3aHCyOs7CxP-czG1FMpQAAAMA&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK3aHCyOs7CxP-czG1FMpQAAAMA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK3aHCyOs7CxP-czG1FMpQAAAMA&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX694938&articleTitle=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_7775_CVE_2025_7776_and_CVE_2025_8424
[6] https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/
[7] https://www.theregister.com/2025/08/14/edr_killers_ransomware/
[8] https://www.theregister.com/2025/08/12/major_outage_at_pennsylvania_attorney/
[9] https://www.theregister.com/2025/07/10/cisa_citrixbleed_kev/
[10] https://www.theregister.com/2025/05/08/vmware_migrations_why_nutanix/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK3aHCyOs7CxP-czG1FMpQAAAMA&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/