CISA Adds CVE-2025-7775 to KEV: Urgent Patch for Citrix NetScaler

CISA has added a critical Citrix NetScaler vulnerability — CVE-2025-7775 — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation, prompting an urgent patch-and-verify cycle for NetScaler ADC and NetScaler Gateway operators worldwide.

Background​

CVE-2025-7775 is a memory overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway appliances that can lead to pre-auth remote code execution (RCE) or denial-of-service (DoS) in affected configurations. The vulnerability was confirmed to be exploited in the wild, which is the threshold CISA requires for inclusion in the KEV Catalog. Under Binding Operational Directive (BOD) 22-01, that listing places this CVE into an accelerated remediation priority for federal civilian agencies and sends a strong signal to all organizations to prioritize mitigation.
CISA’s KEV program exists to surface vulnerabilities that have demonstrable exploitation activity and clear remediation actions. The directive that created KEV requires agencies to remediate cataloged vulnerabilities on a compressed timeline, and it explicitly recommends that the private sector use the KEV list as an operational input to vulnerability management. For administrators and security teams, KEV additions should trigger immediate triage workflows.

---

What CVE-2025-7775 Is (Technical Overview)​

Root cause and impact​

• The vulnerability is caused by a memory buffer overflow condition, categorized under common weakness classes for improper bounds checking.
• Successful exploitation can result in:
• Remote code execution (attacker executes arbitrary code on the appliance)
• Denial of service (appliance crash/unavailability)
• Secondary compromises such as webshell deployment, backdoor installation, or session token theft in cases where exploitation is paired with follow-on actions.

Attack prerequisites and scope​

CVE-2025-7775 is not a universal “run-anywhere” bug; the risk profile depends heavily on how NetScaler is configured. The vulnerability has been shown to be exploitable when the appliance is used in certain roles, including:

• Configured as a Gateway: VPN virtual servers, ICA Proxy, CVPN, or RDP Proxy.
• Configured as an AAA (Authentication, Authorization, and Auditing) virtual server.
• Some load-balancing virtual server configurations involving IPv6 services, servicegroups, or DBS servers.
• CR virtual servers with HDX type and other specific service bindings.

This configuration dependency means that an inventory and mapping exercise is a necessary first step: not every NetScaler instance will be reachable via the vulnerable code path, but any appliance exposed to the relevant traffic profiles should be treated as high risk.

Severity​

• The vulnerability is tracked as CVE-2025-7775 and has been assigned a high severity rating under modern CVSS metrics (CVSSv4 base score reported at 9.2 in published assessments), reflecting network accessibility, high confidentiality/integrity/availability impacts, and limited required privileges or UI. That score aligns with the real-world consequence of remote code execution on an internet-facing gateway appliance.

---

Affected Versions and Vendor Fixes​

Citrix released security updates that address CVE-2025-7775 alongside two other NetScaler vulnerabilities. The fixed builds published by the vendor (and reflected in vendor and third-party advisories) are:

• NetScaler ADC and NetScaler Gateway 14.1-47.48 and later releases
• NetScaler ADC and NetScaler Gateway 13.1-59.22 and later releases
• NetScaler ADC 13.1-FIPS / 13.1-NDcPP 13.1-37.241 and later releases
• NetScaler ADC 12.1-FIPS 12.1-55.330 and later releases

There are no vendor-provided workarounds documented for this memory overflow; the provided remediation path is to upgrade to a fixed build. For unsupported EOL branches (older 12.x/13.0 versions), Citrix’s guidance is to upgrade to a supported branch that contains the fixes, because EOL releases no longer receive security updates.
Administrators should apply vendor-supplied fixed builds to all user-managed NetScaler instances as a first-order response.

---

Why This Is Urgent: Exploitation and Post-Exploitation Observations​

The inclusion in CISA’s KEV Catalog signals that there is reliable evidence of in-the-wild exploitation. Multiple security teams and incident responders have reported active exploitation, including:

• Observed exploitation attempts and confirmed successful compromises of unpatched appliances.
• Reports that attackers are using the vulnerability as a vector to drop webshells or other lightweight backdoors on compromised appliances.
• Historically, the NetScaler family has been targeted repeatedly during the year, and defenders have seen multiple NetScaler zero-days weaponized quickly.

Security researchers have publicly reported webshell deployment and follow-on activities tied to this class of NetScaler vulnerabilities. Those reports point to a typical exploitation lifecycle: scan → vulnerability exploit → payload deployment (webshell/backdoor) → lateral movement or data exfiltration. However, these specific post-exploitation observations are field reports from researchers and responders; while credible, some details may evolve as forensic investigations continue. Treat such reports as high-priority leads but verify within your environment through direct log/IOC analysis.

---

Detection and Incident Response (Practical Steps)​

If you operate NetScaler appliances (on-prem or in hybrid deployments), follow this prioritized sequence:

• Inventory and Prioritize
• Create a current inventory of all NetScaler ADC and NetScaler Gateway instances, including cloud-managed, on-premises, HA pairs, and inside Secure Private Access on-prem/hybrid deployments.
• Note appliance roles and virtual server types—mark Gateway/AAA and IPv6-bound LB virtual servers as highest risk.
• Patch Immediately
• Schedule emergency maintenance windows to upgrade to the fixed builds listed above.
• Where immediate patching is not possible, implement network-level isolation (remove from internet exposure, place behind strict ACLs) and limit management-plane access.
• Post-Patch Remediation Steps
• After all appliances in an HA pair or cluster are upgraded, terminate active ICA and PCoIP sessions via the vendor-recommended commands (for example: kill icaconnection -all and kill pcoipConnection -all). These commands are recommended to invalidate potentially stolen session tokens.
• Rotate credentials and keys associated with the appliance, and enforce credential changes for users who authenticated through vulnerable appliances, where suspicion of compromise exists.
• Hunt for Indicators of Compromise (IOC)
• Review NetScaler logs (syslog export is preferred) for anomalous entries. Practical heuristics that have surfaced in incident analyses include:
• Log lines showing non-ASCII byte ranges in AAA authentication rejection messages (evidence of malformed payloads).
• Session anomalies such as a single session used from multiple disparate client IPs (possible session hijack).
• Unexpected file writes, webshell artifacts, or unknown listener processes post-compromise.
• Use vendor-provided IOC tools or request an IOC shell script from vendor support to scan for known artifacts, if available.
• Network and Endpoint Scanning
• Run network IDS/IPS detection rules for known exploitation patterns and update signatures. Deploy signature-based detections that target malformed requests used in NetScaler exploits.
• Scan internal networks for instances with Fingerprints indicating prior compromise or suspicious persistence mechanisms.
• Forensics and Remediation
• If exploitation is confirmed, assume post-exploitation activity is possible. Perform comprehensive forensics: memory capture (where possible), full filesystem scans, and export of configuration and user session histories.
• Look for persistence mechanisms, new accounts, modified access lists, or exfiltration channels.
• Rebuild compromised appliances from known-good images where forensic evidence shows persistent compromise rather than a transient exploit.
• Notification and Reporting
• For federal agencies and organizations governed by regulation, follow required incident reporting processes.
• Report exploitation evidence to national CERTs, CISA, or other appropriate authorities to assist with larger threat intelligence correlation.

---

Detection Playbook: Key Commands and Log Searches​

• Terminate vulnerable session types after patching:
• kill icaconnection -all
• kill pcoipConnection -all
• Suggested log search patterns (examples for NetScaler syslog analysis):
• Search for AAA messages containing non-ASCII bytes (range 128–255). These may appear escaped in viewers but can be detected with regex on raw logs.
• Review SSLVPN TCPCONNSTAT and other session log lines for client IP vs. source IP mismatches.
• Review logs for repeated malformed HTTP POSTs targeting authentication endpoints or unusual request payload sizes.

These actions should be part of an automated playbook so that detection, containment, and remediation can be executed quickly when KEV items are added.

---

Risk and Exposure Considerations​

• Internet-facing NetScaler appliances configured as VPN or AAA virtual servers are highest risk due to direct exposure and the exploit workflow targeting authentication and session-handling code paths.
• Appliances that handle IPv6-bound services or DB services with IPv6 backends can also be affected, and IPv6 configurations are sometimes overlooked in inventory exercises.
• Legacy/EOL appliances that have not been upgraded present a compound risk: no vendor patch is available and attackers view EOL products as attractive targets. Replace or isolate EOL units urgently.
• The presence of active exploitation in the wild increases the probability of rapid compromise after vulnerability disclosure. Historical patterns show that many widely used appliances are scanned and attacked within hours of public disclosure.

---

Analysis: Vendor Response, Timelines, and Mitigation Realities​

Citrix and the NetScaler team issued updated builds and security bulletins addressing this and related vulnerabilities. The vendor’s fixes indicate a rapid engineering response to patch the memory overflow conditions, and advisories include both fixed versions and recommended post-patching session termination commands.
Strengths in the response:

• Timely patch releases across supported branches with clear build numbers.
• Vendor-provided guidance on session invalidation and log indicators.
• Availability of IOC scripts/tools to assist customers via support channels.

Ongoing risks and shortcomings:

• No documented, practical workaround: without a hotfix, organizations must either patch or isolate, which can be operationally disruptive.
• Many NetScaler deployments remain unpatched for weeks after advisories historically; KEV inclusion often follows observed exploitation that occurs in unpatched environments.
• Operators with complex HA clusters, third-party managed services, or restrictive maintenance windows may find remediation disruptive; attackers exploit that window.

Operationally, organizations should treat KEV additions as urgent triage items: where production impact prevents immediate upgrades, short-term network-level mitigations and aggressive detection must compensate until patching occurs.

---

Recommended Organizational Steps (Checklist)​

• Inventory all NetScaler ADC/Gateway instances, including versions and configuration roles.
• Mark appliances configured as Gateway, AAA, or IPv6-bound LB servers as highest priority for patching.
• Apply vendor fixed builds listed above to all affected, user-managed appliances.
• After patching, run the recommended kill-session commands to invalidate potential stolen sessions.
• Rotate credentials and secrets for accounts that authenticated via vulnerable appliances, if compromise is suspected.
• Run targeted IOC hunts and request vendor IOC tools from support if available.
• Isolate or remove EOL or unmanaged NetScaler appliances from networks if they cannot be upgraded.
• Update firewall/ACLs to limit administrative and management plane access to trusted hosts.
• Ensure logging is externally stored and retained long enough to support retrospective forensic action.
• Document remediation and reporting actions per regulatory and organizational policy.

---

Broader Lessons for Vulnerability Management​

This event reinforces several persistent truths for IT security programs:

• Maintain an accurate, live inventory of edge appliances and their configurations. Vulnerability triage depends on knowing which devices perform which functions.
• KEV is an operationally meaningful signal. Prioritization frameworks should incorporate both CVSS severity and exploitation status; KEV entries should move to the top of remediation queues.
• Patch orchestration and emergency maintenance planning must be mature. The ability to rapidly test, stage, and deploy fixes across HA clusters reduces the attacker’s window.
• Logging and telemetry retention are paramount. Many successful investigations hinge on historical logs that are only available if syslog or SIEM pipelines are configured to persist beyond default appliance retention windows.
• Legacy and unmanaged appliances are a common vector. Replace, isolate, or aggressively monitor such assets.

---

What Security Teams Need to Communicate Internally​

• Communicate urgency to operations and business stakeholders: this is a known-exploited RCE on perimeter appliances, and delays materially increase risk.
• Identify and freeze high-risk administrative changes during remediation windows to avoid configuration drift that could complicate forensics.
• Coordinate with identity and access teams to prepare credential rotation procedures and to ensure rapid invalidation of potentially impacted sessions.
• Prepare incident response teams to run hunts and forensic artifacts if exploitation is suspected.

---

Conclusion​

CVE-2025-7775’s addition to CISA’s KEV Catalog is a clear operational signal: exploit activity has been observed, and the attack vector targets critical edge infrastructure. For organizations that rely on Citrix NetScaler ADC or NetScaler Gateway appliances, this is a high-priority incident—patch immediately, verify patches were applied across HA/clustered systems, terminate active sessions as recommended, and hunt for indicators of compromise. Given the lack of viable workarounds and documented proof of exploitation, remediation and forensic validation should be treated as urgent tasks within vulnerability management workflows. Prioritize inventory accuracy, rapid patch deployment, and robust logging so future KEV additions can be dealt with in minutes or hours rather than days or weeks.

---

Source: CISA CISA Adds One Known Exploited Vulnerability to Catalog | CISA