Critical vulnerabilities in Citrix NetScaler ADC and Gateway - Active exploitation observed

Citrix reports that active exploitation of CVE-2025-7775 has been observed on unpatched systems. It is therefore important to patch systems as quickly as possible and check for compromise.

‍

The vulnerabilities have a critical impact and are expected to receive CVSS scores in the high category (9.0+). The vulnerabilities apply to the following versions:

• NetScaler ADC en Gateway 14.1 (before build 14.1-17.50)
• NetScaler ADC en Gateway 13.1 (before build 13.1-51.15)
• NetScaler ADC en Gateway 13.0 (before build 13.0-92.20)

Successful exploitation can lead to:

• Complete takeover of the device;
• Execution of arbitrary code;
• Access to internal networks and data.

Citrix strongly advises customers to install the following versions, which address the vulnerabilities:

• NetScaler ADC and NetScaler Gateway 14.1-47.48  and later releases
• NetScaler ADC and NetScaler Gateway  13.1-59.22 and later releases from 13.1
• NetScaler ADC  13.1-FIPS  en  13.1-NDcPP 13.1-37.241 and later releases from 13.1-FIPS en 13.1-NDcPP
• NetScaler ADC  12.1-FIPS  en  12.1-NDcPP 12.1-55.330  and later releases from 12.1-FIPS en 12.1-NDcPP

Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are End Of Life (EOL) and are no longer supported. Citrix recommends that customers upgrade their appliances to one of the supported versions that address these vulnerabilities

‍

Additional measures:

1. Check systems for signs of compromise using the Webshell Detection Script for Citrix NetScaler appliances created by the NCSC
2. Restrict access to the management interface of NetScaler ADC and Gateway to trusted IP addresses.
3. Actively monitor for suspicious login attempts, unexpected network connections, and configuration changes.

• ‍Citrix Security Bulletin – NetScaler ADC and Gateway‍
• NCSC Advisory NCSC-2025-0268-0‍
• Webshell Detection Script – NCSC-NL GitHub