Citrix NetScaler ADC and Gateway, unauthenticated memory-overflow remote code execution

Overview

CVE-2025-7775 is a critical memory overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway that enables remote code execution and denial of service without authentication. Citrix disclosed it on 26 August 2025 in security bulletin CTX694938 and confirmed that exploits had already been observed against unmitigated appliances, making this a zero-day at the time of patch release. The flaw is reachable when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN or RDP Proxy) or an AAA virtual server, and in specific IPv6 load-balancing and HDX content-routing setups. NVD assigns a primary CVSS 3.1 base score of 9.8 (Citrix's own CVSS 4.0 score is 9.2). It was added to the CISA Known Exploited Vulnerabilities catalog the same day.

Technical Details

The vulnerability is a memory overflow (CWE-119, improper restriction of operations within the bounds of a memory buffer) in the request-handling path of the NetScaler packet engine. An attacker sends crafted traffic to an exposed virtual server; because input length is not properly bounded before the data is copied into a fixed buffer, the write corrupts adjacent memory. Depending on configuration and timing, this yields either arbitrary code execution in the context of the appliance or a service crash. No credentials, session, or user interaction are required, and the management interface does not need to be exposed for the Gateway/AAA attack surface to be reachable from the internet.

Impact

• Unauthenticated remote code execution on the NetScaler appliance
• Denial of service through repeated crashes of the packet engine
• Full compromise of a perimeter device that fronts internal applications and VPN access
• Potential theft of session material and pivoting into the protected network

Mitigation

1. Upgrade NetScaler ADC and Gateway 14.1 to 14.1-47.48 or later.
2. Upgrade NetScaler ADC and Gateway 13.1 to 13.1-59.22 or later.
3. Upgrade NetScaler ADC 13.1-FIPS and 13.1-NDcPP to 13.1-37.241 or later.
4. Migrate appliances on 12.1 and 13.0, which are End of Life and receive no fix.
5. There is no workaround; patching is the only remediation. After upgrading, terminate all active ICA and PCoIP sessions to evict any attacker sessions established before patching.

Detection

• CISA added CVE-2025-7775 to the KEV catalog on 26 August 2025 with a remediation due date of 28 August 2025.
• Review NetScaler appliances for unexpected crashes or restarts of the packet engine and for shell or configuration changes inconsistent with administrative activity.
• Inspect ns.log and authentication logs for anomalous Gateway/AAA virtual-server requests and unexpected outbound connections from the appliance.
• Because the flaw allows session compromise, hunt for reused session tokens and lateral movement following the disclosure window.