A critical zero-day vulnerability (CVE-2025-7775) in Citrix NetScaler Application Delivery Controller (ADC) and Gateway has been actively exploited in the wild, prompting an urgent call for patches from cybersecurity agencies and vendors. The vulnerability, a memory overflow flaw, can allow an unauthenticated attacker to achieve remote code execution (RCE), giving them full control over affected systems.
The flaw, which has a CVSS score of 9.2, was disclosed by NetScaler on Tuesday along with two other high-severity vulnerabilities (CVE-2025-7776 and CVE-2025-8424). However, unlike the other two, CVE-2025-7775 was already being leveraged by malicious actors. The Cybersecurity & Infrastructure Security Agency (CISA) has added it to its list of Known Exploited Vulnerabilities (KEV), directing federal civilian agencies to patch their systems by August 28, 2025.
According to security researchers, the exploitation of this vulnerability has been used to drop “webshells,” which act as backdoors for attackers to maintain persistent access to a compromised network. These types of memory corruption vulnerabilities are often complex to exploit and are typically used by highly skilled adversaries, including state-sponsored groups, in targeted attacks.
The affected versions of NetScaler ADC and Gateway include versions 14.1 before 14.1-47.48 and 13.1 before 13.1-59.22, among others. The vulnerability is present only on devices configured as a Gateway or an AAA virtual server. While this might seem like a limiting factor, similar configuration requirements in past Citrix vulnerabilities, such as the “CitrixBleed” flaws, did not prevent widespread exploitation.
This new vulnerability highlights a recurring pattern of zero-day exploits targeting NetScaler devices. It underscores the importance of a swift and proactive patching strategy. Experts are also warning that even after patching, organizations should conduct a thorough incident response to ensure that no backdoors were left behind by attackers who exploited the flaw before a fix was available.
